Re: Hack Simplifies Cisco Router Attack -

From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Mon Jan 26 2009 - 13:17:57 ARST

• Next message: Anthony Faria: "Re: Hack Simplifies Cisco Router Attack -"
• Previous message: Darby Weaver: "Re: Hack Simplifies Cisco Router Attack -"
• Maybe in reply to: arali : "Hack Simplifies Cisco Router Attack -"
• Next in thread: Anthony Faria: "Re: Hack Simplifies Cisco Router Attack -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Darby Weaver wrote:
> Remember - it's not the IOS that they are trying to take advantage of...
>
> It's the underlying "C" Code...

    Sorry, but that's just wrong.

    While I believe that a "proof of concept" attack is more than just
"blowing smoke up various body parts" (I'm thinking of the various
papers saying that "MD5 /might/ be cracked" only months before an actual
real-life attack was published), I didn't reply to your previous e-mail
- I believe that everybody is entitled to his own opinion about this,
and if you want to believe that the paper is just FUD, it is your right.

    However, the statement above is just wrong. There is no "C code" on
your routers - it's only machine-level code, generated by a compiler
from C source code. What the attacks target is the internal memory write
routines, not a code that doesn't exist anymore.
    The fact that most documentation on this mentions C functions (like
sprintf(), or gets() ) is just an example, used because most coders are
familiar with the language. The problem is that the /internal
implementation/ of these functions doesn't perform any checks on the
input length - hence, the machine code that results from compiling such
a function doesn't perform those checks either. Which makes the code
vulnerable to buffer overflow attacks.
    The code could be just as well written in any other language,
assembler, or directly into machine code - if no checks are performed on
the input (and the compiler doesn't add such checks), the result would
be just as vulnerable to buffer overflow attacks.

> And Cisco has done a pretty good job of checking IOS's before we can
> run them - so much that if they are incorrect our devices crash and
> tell us quickly enough.
   This is like saying "Microsoft has done a good job with Vista* - it
is so well written that it just crashes when something goes wrong" :))
    [ *if you happen to like Vista, just insert your favorite MS
operating system here. WinME, anyone? :P ]

    The fact that an operating system crashes doesn't usually mean that
"is has been well checked" :)

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net

• Next message: Anthony Faria: "Re: Hack Simplifies Cisco Router Attack -"
• Previous message: Darby Weaver: "Re: Hack Simplifies Cisco Router Attack -"
• Maybe in reply to: arali : "Hack Simplifies Cisco Router Attack -"
• Next in thread: Anthony Faria: "Re: Hack Simplifies Cisco Router Attack -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST