[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Cisco IOS Shellcode Presentation
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Cisco IOS Shellcode Presentation
- From: "lsi" <stuart@xxxxxxxxxxxxxx>
- Date: Sat, 30 Jul 2005 13:21:52 +0100
> Just store the program in a frikking *ROM*, and disallow execution of
> opcodes from RAM. It's called a Harvard architecture.
The problem with this will be speed, will it not? It could be cached
into RAM - but then it would be modifiable ...
I also have a query relating to the assertion by Lynn that worms
would be difficult to make, because different firmware has different
offsets. Surely this would be as simple as looping though a list:
if (firmware == x) { attackstring = ABC }
elseif (firmware == y) {attackstring = DEF }
elseif (firmware == z) {attackstring = GHI }
...
etc
Finally, I note from the narrative on tomsnetworking that while the
presentation did not describe exactly how to make an attack script
that gets root, it nonetheless showed off exactly that. "At the
beginning of his talk, Michael Lynn connected to a Cisco router, ran
his shell script and obtained the "enable" prompt." [1]
I thus conclude it's only a matter of time before an "autorooter" is
developed for use against a wide variety of routers.
The window of vulnerability, which is at least three weeks old,
opened wide on the 27th, and remains so. No amount of legal
posturing by anybody can change this.
[1] http://www.tomsnetworking.com/Sections-article131-page4.php
---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/