Dailydave mailing list archives

RE: Lynn / Cisco shellcode

From: "Thor Larholm" <thor () pivx com>
Date: Thu, 28 Jul 2005 06:14:36 -0700

I've not read his presentation yet and it's not available in the media
archives either
(http://www.blackhat.com/html/bh-media-archives/bh-archives-2005.html#US
A-2005) so this is just from the top of my head.

You're right, it doesn't seem like Lynn disclosed any new vulnerability.
Instead, he demonstrated how a vulnerability in IOS, once found, can be
reliably exploited. There are several ways to discover how to reliably
exploit buffer overflows of various kinds, either through source code
analysis or reverse engineering. We've all been using the latter to
successfully exploit vulnerabilities on the Windows platform since we
don't have access to the source code. 

While Lynn worked at ISS he was doing a source code analysis for Cisco.
Lynn learned the 'secrets' of IOS exploitation through that source code
analysis and I am certain that the ISS review of the IOS source code
included a Non Disclosure Agreement. Cisco could certainly have handled
the situation better, and not have been portrayed as trying to silence
security research, but it's certainly probable that Lynn has violated
his NDA during his presentation.

It's like the good old days of developing IBM BIOS clones. You can't be
touched if you have learned how the system behaves through your own
learning experience (reverse engineering), but you will most likely be
prevented from creating BIOS clones due to contractual obligations if
you have been given the secrets up front (source code analysis).

I'm still waiting for a copy of the presentation to be available to
determine if there's anything more than hype to this.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>  

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Halvar
Flake
Sent: Thursday, July 28, 2005 3:04 PM
To: famato () infobyte com ar
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Lynn / Cisco shellcode

Hey all,


please correct me if my summary is incorrect, but:

 1) Lynn talked about exploitation methods, not about 0day bugs
 2) A significant amount of what he talked about was already known
    if one had read/studied what had previously been published by FX
 3) Cisco and ISS are suing him ?

A few comments come into my mind:

1) My "friends don't let friends" slide from an old Blackhat talk
2) This is nutty. Instead of trying to go after Mr. Lynn, Cisco should
   perhabs do some changes to their heap implementation focusing more
   on security and less on heap integrity. Ah, did I mention being 
   more vigorous in auditing their own code ?
3) I don't know the specifics, but I have the impression that the risk
   of all this is a bit hyped.
4) What "weaknesses" were really presented ? I mean it is a given that
   if you corrupt memory on any computer, you can do shit you should not
   be able to do. Anybody who disputes this is living in a different
   world. So there is nothing that "needs fixing" - what needs fixing
   is the fact that attackers can corrupt memory. Mr. Lynn has presented
   a methodology do utilize the tools (a memory corruption) provided by
   Cisco. But the important part is that the memory corruption is some-
   thing that Cisco put into the software - and it is hard to imagine
   that finding a way to make use of an (unintentionally included)
   feature is anything to be sued over.

I just came off of a very long flight, so I might not be 100% coherent.
But all in all, I think the security industry has gotten to the point of
believing it's own hype. Never a good thing. So on what grounds are
ISS/Cisco suing ?

Cheers,
Halvar

--
GMX DSL = Maximale Leistung zum minimalen Preis!
2000 MB nur 2,99, Flatrate ab 4,99 Euro/Monat:
http://www.gmx.net/de/go/dsl
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Lynn / Cisco shellcode, (continued)
- Re: Lynn / Cisco shellcode Andrew R. Reiter (Jul 28)
  - Re: Lynn / Cisco shellcode Halvar Flake (Jul 28)
- Re: Lynn / Cisco shellcode Ron Guerin (Jul 29)
- RE: Lynn / Cisco shellcode Dennis Cox (Jul 27)
  - Re: Lynn / Cisco shellcode Christoph Gruber (Jul 28)
    - Re: Lynn / Cisco shellcode Saad Kadhi (Jul 28)
    - Re: Lynn / Cisco shellcode ET LoWNOISE (Jul 28)
- Re: Lynn / Cisco shellcode Francisco Amato (Jul 28)
  - Re: Lynn / Cisco shellcode Darren Bounds (Jul 28)
  - Re: Lynn / Cisco shellcode Halvar Flake (Jul 28)
- RE: Lynn / Cisco shellcode Thor Larholm (Jul 28)
  - Re: Lynn / Cisco shellcode Mordy Ovits (Jul 28)
    - Re: Lynn / Cisco shellcode Steve Lord (Jul 28)
    - Re: Lynn / Cisco shellcode ET LoWNOISE (Jul 28)
    - Re: Lynn / Cisco shellcode Alex Stamos (Jul 28)
    - Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 28)
    - Re: Lynn / Cisco shellcode Michael Silk (Jul 28)
    - Re: Lynn / Cisco shellcode Michael J Freeman (Jul 28)
    - Re: Lynn / Cisco shellcode Pukhraj Singh (Jul 29)
- RE: Lynn / Cisco shellcode Todd Towles (Jul 28)
- RE: Lynn / Cisco shellcode Dowd, Mark (ISS Atlanta) (Jul 28)

(Thread continues...)