Home page logo

fulldisclosure logo Full Disclosure mailing list archives

IOS Exploitation Techniques Paper
From: "Andy Davis" <andy.davis () irmplc com>
Date: Wed, 27 Jun 2007 10:56:12 +0100

It has been more than a year since Michael Lynn first demonstrated a
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although
his presentation received a lot of media coverage in the security
community, very little is known about the attack and the technical
details surrounding the IOS check_heaps() vulnerability. This paper is a
result of research carried out by IRM to analyse and understand the
check_heaps() attack and its impact on similar embedded devices.
Furthermore, it also helps developers understand security-specific
issues in embedded environments and developing mitigation strategies for
similar vulnerabilities. The paper primarily focuses on the techniques
developed for bypassing the check_heaps() process, which has
traditionally prevented reliable exploitation of memory-based overflows
on the IOS platform. Using inbuilt IOS commands, memory dumps and open
source tools IRM was able to recreate the vulnerability in a lab
environment. The paper is divided in three sections, which cover the
ICMPv6 source-link attack vector, IOS Operating System internals, and
finally the analysis of the attack itself.


The full paper can be downloaded from:








Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]