RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

["Andy Davis" <andy.davis () irmplc com>]

Halvar,

Please let me clarify some misconceptions currently being spread by the
Cisco "media machine":

All three techniques demonstrated in the videos are shellcode payloads
written in PowerPC assembly language (for the Cisco 2600 series
routers). They are being demonstrated from within gdb rather than as the
payloads to actual exploits.

ANY Cisco IOS vulnerability that can result in arbitrary code execution
(heap/stack overflow etc.) can potentially be exploited using any of
these three exploits payloads. Furthermore, if an IOS vulnerability is
being exploited:

- console access is NOT required
- the enable password is NOT required
- the debugger does NOT need to be enabled

An example of a remote memory corruption vulnerability, which may
potentially be able to be exploited using these payloads is the IOS LPD
remote stack overflow vulnerability
(http://www.irmplc.com/index.php/155-Advisory-024) that we released
earlier today.

We should be releasing hi-res versions of the videos at some stage in
the next 24 hours at
http://www.irmplc.com/index.php/153-Embedded-Systems-Security. 

I hope that makes things a bit clearer for everyone

Cheers,

Andy 

-----Original Message-----
From: Halvar Flake [mailto:halvar.flake () sabre-security com] 
Sent: 11 October 2007 20:25
To: Gaus; bugtraq () securityfocus com
Cc: gaus () cisco com
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

So in short, they are demonstrating that 

* IF you have console access
* AND the enable password
* AND you enable the debugger

you can execute code ?

So all in all, it's a complete non-issue ?

Cheers,
Halvar