Welcome to the brave new world.

[holzman_tweed]

Some drama at Black Hat today. All of this is second hand, and I may be mistaken on the details.

This morning at 10 AM was scheduled a presentation entitled, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," presented by one Michael Lynn. Originally, Mr. Lynn was apparently going to present a proof-of-concept exploit granting the access described in the title.

DHS put a stop to that plan last week. CDs had to be re-burned, presentation books were re-done, and the talk was changed to "an architectural overview of IOS and [exploration] of the feasibility of code execution against Cisco routers." When people showed up this morning, the slide that was on the screen was something about VoIP. I'm told Mr. Lynn began his speech with words along these lines: I was going to give the Cisco talk, but Cisco said they'd sue me if they did. Also, ISS said they'd fire me if I gave the Cisco talk. So here's the Cisco talk."

And then he gave it. Not the script, of course, I'm pretty sure that's now a matter of national security, and we'll have to wait for Karl Rove to leak it to the media because he's pissed at John T. Chambers. But it's now known that the vulnerability exists and that means someone will find it again. I've got no idea how long it'll take Cisco to fix it, or even how we'd know that it had been fixed unless they decide to publish the bug once it's fixed.

Of course, if there's one such bug, there may well be a second. I wonder how the person who discovers that one will proceed. I doubt they'll risk jail, suit, and firing by announcing they found it.

Comments

[perigee.livejournal.com]

If I found it, I'd probably publish it anonymously.

[vvalkyri.livejournal.com]

Not the script, of course, I'm pretty sure that's now a matter of national security, and we'll have to wait for Karl Rove to leak it to the media because he's pissed at John T. Chambers.

:dies:

More seriously, though, what exactly was the exploit supposed to do?

[holzman.livejournal.com]

The claim is that it would let someone get onto Cisco routers and execute commands without actually having permission to do so.

[holzman.livejournal.com]

I know this is vague, but I haven't had coffee yet.

[docstrange.livejournal.com]

But it's now known that the vulnerability exists and that means someone will find it again.

There is no unpatched vulnerability in his presentation. This is a misconception that's getting very very broad play. His demo used an OLD vulnerability to demonstrate something NEW. The vuln he used was patched and the patch released in March.

That new thing is that he found a way around Cisco IOS's check_heaps process, which will reboot the device if the heap is messed up (as many of the exploits use heap overflows, this is a big 'problem' for exploit writers). By finding a way around it, he has exposed an *entire class* of bugs as exploitable vulnerabilities on IOS.

So, he was not doing the world a favor by exposing a bug Cisco was sitting on. An issue with their heap protection (which is for device stability, more than security, I think), sure. A new hole, no. In many respects it's bigger than a new hole - like I said, this presentation has exposed a whole class of bugs as exploitable. No wonder Cisco's pissed he released it.

[holzman.livejournal.com]

Thanks for the additional detail -- I had attended a different track in that time slot, else I'd have given a first hand account, and the discussions afterward didn't discuss the technology as much.

[docstrange.livejournal.com]

Sure thing. Where did you hear the DHS angle? I'm on a list that's had some intense discussion but no mention of DHS being involved....

[docstrange.livejournal.com]

Update: Yeah, I've now heard from a close source that DHS asked for it to be kept back.

[holzman.livejournal.com]

That's scuttlebutt I got from people in the halls and bars.

[vvalkyri.livejournal.com]

Thanks for the further explanation.

Not to show myself up as an idiot or anything, but this stuff is outside my experience. Tell me more about heaps and the IOS? Is a heap like a stack? Things the router has in its queue to do?

And what sort of things might one do once one is able to send commands to the router? Presumably worse things than making the router reboot...

Could you point me at some layman+ level info? I understand what routers do and how they differ from switches and hubs, but beyond counting how many of them are between my servers and the machines generating our captured data they're outside the scope of what I do. If things go wrong with them it's the customer's IT folks who troubleshoot and fix, not me.

[docstrange.livejournal.com]

Heap in this context is kind of like stack - it's a way of allocating memory for certain uses; for example, for variables of indeterminate size. See http://en.wikipedia.org/wiki/Heap_%28programming%29

With full control of the router, one could change routes, change packet filter tables, add accounts to the router, reroute authentication requests (e.g., RADIUS logins) to a host that will record them, cause traffic to be selectively monitored (remotely even via rmon), and backdoor the system. Mostly, routers 'route' but they're also access devices (dialup, PPTP, VPN, and even for DSL), security gateways performing filtering, intrusion detection devices, and perform a variety of dynamic network control (via routing protocols like BGP, via HSRP/VRRP failover, via source-based routing, and VPN and other storts of traffic tunnels).

[cosinejeremiah.livejournal.com]

So is he fired yet?

[holzman.livejournal.com]

He in fact quit. Cisco has sued him, and a federal judge has enjoined him from ever again discussing the vulnerability he discovered. Cisco's Lawyers are now chasing all over the internet issuing cease and desist orders to anyone who posts a copy on the Internet, claiming it to be trade secrets and copyrighted information.

Because, of course, that strategy has worked so well for the Scientologists.

A google search for "Mike Lynn" will give more details. It'll even find you some copies of the presentation, which I suspect will run all over the Internet for a long time... not to mention be stored offline and passed around.