26
2009
Cisco IOS: Attack & Defense
An article by 
Surfing the web, I have found a nice talk on Cisco IOS Forensics and Exploits, explained during the 25C3: “Cisco IOS Attack & Defense – The State of the Art“.
What is 25C3?
The 25th Chaos Communication Congress (25C3) is the annual four-day conference organized by the Chaos Computer Club (CCC). It takes place at the bcc Berliner Congress Center in Berlin, Germany. The Congress offers lectures and workshops on a multitude of topics and attracts a diverse audience of thousands of hackers, scientists, artists, and utopians from all around the world.
Here a summary written by FX
“To summarize the presentation given at the 25C3, the work is aimed at the possibility of performing forensic analysis for Cisco IOS devices. We identified a complete lack of tools and methods for detection of compromized network equipment approximately two years back. With the rise in sophistication on the attacker side, it became important to develop tools and methods so that successful or failed attempts to compromize routers could be detected. The result of this research was the Recurity Labs tool CIR (Cisco Incident Response), which is a free memory dump analyzer provided at http://cir.recurity-labs.com.
To be able to take this tool forward, we also needed to better understand how a well-resourced attacking organization would actually implement IOS exploits.
The most obvious difference between the publicly available exploits and the anticipated professional attacker was that the public exploits depend on static address space layout. On common operating systems like Windows or Linux, this is the default and intentionally randomized by ASLR. On Cisco IOS, the diversity of operating system images makes randomness the default. Accordingly, we researched how so-called image independent code execution
could work and found code fragments from the System Bootstrap to be at a stable address. By using chunks of the existing System Bootstrap code, we were able to craft a stack layout that would execute two arbitrary memory writes and disable the CPU caches, providing image independent code exection.
The presented method only works on small routers that use the PowerPC CPU. Most of the Cisco IOS network infrastructure runs on larger machines with MIPS CPUs, for which the method has not been shown to work yet.
This research now enables us to give more solid statements on the detectability of attacks against Cisco IOS: namely that exploitation may not need many attempts to determine the exact IOS image version as assumed before, and that detection should therefore focus on the payload of potential exploits, such as backdoors and other modifications, rather than the detection of the exploit itself. This is very important for our future work on IOS forensics tools.”
Special thanks to FX 
References:
Leave a comment
Archives
- February 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008