Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IOS Exploitation Techniques Paper
From: Mike Caudill <mcaudill () cisco com>
Date: Wed, 27 Jun 2007 14:06:15 -0400

Hash: SHA1

Andy Davis <andy.davis () irmplc com> [2007-06-27 06:07] wrote:
It has been more than a year since Michael Lynn first demonstrated a reliable
code execution exploit on Cisco IOS at Black Hat 2005. Although his
presentation received a lot of media coverage in the security community, very
little is known about the attack and the technical details surrounding the IOS
check_heaps() vulnerability. This paper is a result of research carried out by
IRM to analyse and understand the check_heaps() attack and its impact on
similar embedded devices. Furthermore, it also helps developers understand
security-specific issues in embedded environments and developing mitigation
strategies for similar vulnerabilities. The paper primarily focuses on the
techniques developed for bypassing the check_heaps() process, which has
traditionally prevented reliable exploitation of memory-based overflows on the
IOS platform. Using inbuilt IOS commands, memory dumps and open source tools
IRM was able to recreate the vulnerability in a lab environment. The paper is
divided in three sections, which cover the ICMPv6 source-link attack vector,
IOS Operating System internals, and finally the analysis of the attack itself.

The full paper can be downloaded from:


As Andy stated, the IOS Exploitation Techniques whitepaper covers
details regarding IOS vulnerabilities which have been previously
disclosed. Further information regarding the vulnerabilities used in
the exploit were resolved across two separate Cisco security advisories
released in 2005.

The first advisory covered the attack vector:

   Cisco Security Advisory:  IPv6 Crafted Packet Vulnerability

and the second advisory covered the underlying vulnerability which
allowed for the possibility of remote code execution:

   Cisco Security Advisory:  IOS Heap-based Overflow Vulnerability in System Timers.

Cisco customers should reference those advisories (and more recently
released advisories) to determine the version(s) of software needed to
remediate any vulnerabilities within their network.

We would like to thank Andy for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of
security issues.

For information on working with the Cisco PSIRT regarding potential
security issues, please see our contact information at



- -Mike-

- -- 

Mike Caudill  <mcaudill () cisco com>     
PSIRT Incident Manager                
DSS PGP: 0xEBBD5271                     
+1.919.392.2855 / +1.919.522.4931 (cell) 

Version: GnuPG v1.4.2.2 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]