Cisco IOS: Attack & Defense

Surfing the web, I have found a nice talk on Cisco IOS Forensics and Exploits, explained during the 25C3: “Cisco IOS Attack & Defense – The State of the Art“.

What is 25C3?
The 25th Chaos Communication Congress (25C3) is the annual four-day conference organized by the Chaos Computer Club (CCC). It takes place at the bcc Berliner Congress Center in Berlin, Germany. The Congress offers lectures and workshops on a multitude of topics and attracts a diverse audience of thousands of hackers, scientists, artists, and utopians from all around the world.

Here a summary written by FX
“To summarize the presentation given at the 25C3, the work is aimed at the possibility of performing forensic analysis for Cisco IOS devices. We identified a complete lack of tools and methods for detection of compromized network equipment approximately two years back. With the rise in sophistication on the attacker side, it became important to develop tools and methods so that successful or failed attempts to compromize routers could be detected. The result of this research was the Recurity Labs tool CIR (Cisco Incident Response), which is a free memory dump analyzer provided at http://cir.recurity-labs.com.

To be able to take this tool forward, we also needed to better understand how a well-resourced attacking organization would actually implement IOS exploits.

The most obvious difference between the publicly available exploits and the anticipated professional attacker was that the public exploits depend on static address space layout. On common operating systems like Windows or Linux, this is the default and intentionally randomized by ASLR. On Cisco IOS, the diversity of operating system images makes randomness the default. Accordingly, we researched how so-called image independent code execution
could work and found code fragments from the System Bootstrap to be at a stable address. By using chunks of the existing System Bootstrap code, we were able to craft a stack layout that would execute two arbitrary memory writes and disable the CPU caches, providing image independent code exection.

The presented method only works on small routers that use the PowerPC CPU. Most of the Cisco IOS network infrastructure runs on larger machines with MIPS CPUs, for which the method has not been shown to work yet.

This research now enables us to give more solid statements on the detectability of attacks against Cisco IOS: namely that exploitation may not need many attempts to determine the exact IOS image version as assumed before, and that detection should therefore focus on the payload of potential exploits, such as backdoors and other modifications, rather than the detection of the exploit itself. This is very important for our future work on IOS forensics tools.”

Special thanks to FX  ;)