IOS Exploitation Techniques Paper

["Andy Davis" <andy.davis () irmplc com>]

It has been more than a year since Michael Lynn first demonstrated a
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although
his presentation received a lot of media coverage in the security
community, very little is known about the attack and the technical
details surrounding the IOS check_heaps() vulnerability. This paper is a
result of research carried out by IRM to analyse and understand the
check_heaps() attack and its impact on similar embedded devices.
Furthermore, it also helps developers understand security-specific
issues in embedded environments and developing mitigation strategies for
similar vulnerabilities. The paper primarily focuses on the techniques
developed for bypassing the check_heaps() process, which has
traditionally prevented reliable exploitation of memory-based overflows
on the IOS platform. Using inbuilt IOS commands, memory dumps and open
source tools IRM was able to recreate the vulnerability in a lab
environment. The paper is divided in three sections, which cover the
ICMPv6 source-link attack vector, IOS Operating System internals, and
finally the analysis of the attack itself.

 

The full paper can be downloaded from:

 

http://www.irmplc.com/index.php/69-Whitepapers

 

 

 

 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/