<<< Date Index >>>     <<< Thread Index >>>

RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques



Yes it does. However, if ACLs have been applied to all available VTY
lines on the router then a third memory overwrite is required to remove
the ACL on the VTY line to which you'd like to connect - this is
straightforward to do.

Andy

________________________________________
From: Abuse 007 [mailto:abuse007@xxxxxxxxx] 
Sent: 16 October 2007 16:37
To: Andy Davis
Cc: Halvar Flake; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

Hi Andy,

What if the VTY has a password on it, in addition to an ACL and the
privilige level?
Does the tiny-shell exploit also overcome this obstacle?

Cheers.
On 10/11/07, Andy Davis <andy.davis@xxxxxxxxxx> wrote:
Halvar,

The primary objective of the research was to understand how to create a
remote high privilege shell on IOS (as Michael Lynn demonstrated at
BlackHat 2005) - this was achieved and in the process, we discovered 
three ways of doing it. Because we had worked out how to use gdb with
IOS, the easiest way for us to develop the shellcode was by using gdb to
upload the code to some spare IOS memory and hook into an IOS process 
that was already running to execute it.

The secondary objective was making the shellcode as compact as possible,
with the minimal number of hard-coded function addresses as possible
(due to the monolithic nature of IOS - every version will have these 
functions at slightly different addresses). During this process we
discovered the "tiny shell" technique (demonstrated in one of the
videos) - all that is required to gain a remote shell on IOS (that has 
at least one VTY enabled) is two 1-byte memory overwrites. The first
byte modification removes access control to the VTY and the second
privilege escalates to Level 15.

Personally I think these techniques are pretty cool we're really pleased

with the results of the research - I think it may be clearer to everyone
when we release the higher resolution videos that are easier to watch.

Cheers,

Andy

-----Original Message-----
From: Halvar Flake [mailto: halvar.flake@xxxxxxxxxxxxxxxxxx]
Sent: 12 October 2007 07:32
To: Andy Davis; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS

Exploitation Techniques

Hey Andy,

thanks. So the core of IRMs work is "ways of getting a Cisco shell over
the
network
with a small/minimal number of hardcoded addresses" ?

Cheers, 
Halvar