Re: Lynn / Cisco shellcode

[Anthony Zboralski <anthony.zboralski () bellua com>]

On 29 Jul 2005, at 21:57, surreal () delusory org wrote:


> Mike stated clearly and more than once that he didn't have access to
> source. You can choose to believe whatever you want, and  
> unfortunately,
> there's no record to refute all the BS out now.
>
> He mentioned that the source *had* been stolen twice in recent  
> history,
> but he didn't have any source code.  He also explained how you can

True, everyone and his dog has IOS 11 & 12 and PIX 4, 5 & 6 source code.
IOS 11 was even released by a warez group...

What's even funnier is the case of Huawei Technology with $2.4  
billion in sales both within China:

Mark Chandler, Cisco's general counsel, said the main reason for the  
suit was the discovery that Huawei was using the same source code for  
the software powering its routers. The code, called IOS (internetwork  
operating system), is the crown jewel of Cisco's technology. "Over  
the past year we had more and more of a case," he says, citing such  
things as the identical command lines and user manuals between Cisco  
and Huawei products. "But several months ago we realized the source  
code was copied--that's when we began direct negotiation." Huawei  
officials were receptive to negotiations, he said, but never changed  
their practices.

Anyone has access to a Huawei router? I wonder if they had snmp  
support in them as the source for snmp has to be generated
from the MIBs with an unreleased snmp research tools.


> google up instructions (in Chinese) on hooking a debugger to the
> router, and how handy the 'dump memory' command is - he asked if  
> anyone
> had legitimately used "dump memory" in their work and one (1)  
> person in
> the audience raised his hand.

this one? http://www.xfocus.net/articles/200307/583.html
It is funny how the only mirrors left are in china :)
http://www.google.com/search?hl=en&lr=&safe=off&client=safari&rls=en- 
us&q=ciscox+gdb&btnG=Search

My goal was to be able to hide specific interfaces on a router by  
toggling a flag in a memory.
These notes were a bit lame; right after I left for Asia and forgot  
to bring the small cisco 1600 with me.

    No IOS platform built on the M68k family uses versions of the  
CPU that
        have full MMU support. Hence there is no hardware support  
for write
        protecting the text segment of the IOS image. The system  
does checksum
        the text segment (every 30 seconds) and will crash if the  
checksum is
        incorrect. However, finding the offending code is hard.
mips
        At init time, the IOS programs the MMU of these processors  
to provide
        write protection of the text segment. If any code tries to  
write
        into the code space, the system will crash with a segmentation
        violation.

        However the protection is not completely foolproof, although  
very
        good. The physical memory in which the code sits is mapped  
into other
        segments of the address space and is writable through those  
segments.


> It's unfortunate that the talk has been censored out of existence. He
> had generally complimentary things to say about Cisco coders and ISS,
> and nothing you could walk away with and 0wn the internet without
> months of work *and* a time machine.  Well, he touched on how Cisco is
> poised to lower the bar for future attackers by virtualizing the ...
> (memory error) so that all offsets will be identical across their
> hardware line; that doesn't bode well.
>
> If people could watch the video and see what he *actually* said and  
> did,
> they'd chill.
>
> I gotta go stand in line in the heat now ;-)
>
> Surreal
>
>
> > From: "Thor Larholm" <thor () pivx com>
> >
> >
> > > > While Lynn worked at ISS he was doing a source code analysis for
> > Cisco.
> >
> >
> >
> > > uh, no he didn't. where did you pull this idea from?
> >
> >
> >
> > > From the press, from the rumour mill, from everybody who was  
> > > actually
> > talking about it.
> >
> > It made a lot of sense that Lynn would have done a source code  
> > analysis
> > and thus simply have broken his NDA. I choose to believe this as it
> > would mean Cisco and ISS were not trying to silence security  
> > research,
> > especially considering that the people attending the show did not  
> > talk
> > about any new vulnerabilities being disclosed, just OIS system
> > internals. In other words, I'm giving you the benefit of doubt,  
> > trusting
> > that you simply handled the press situation badly.
> >
> > Cisco and ISS didn't talk about any specifics, but I would love to  
> > hear
> > you explain what actually happened. Or at least point us to copies of
> > the lawsuit. We're all just curious about what could necessitate the
> > need for silence.
> >
> >
> >
> > Regards
> >
> > Thor Larholm
> > Senior Security Researcher
> > PivX Solutions
> > 23 Corporate Plaza #280
> > Newport Beach, CA 92660
> > http://www.pivx.com
> > thor () pivx com
> > Stock symbol: (PIVX.OB)
> > Phone: +1 (949) 231-8496
> > PGP: 0x4207AEE9
> > B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9
> >
> > PivX defines a new genre in Desktop Security: Proactive Threat
> > Mitigation.
> > <http://www.pivx.com/qwikfix>
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > https://lists.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave