‘Cisco IOS Exploitation Techniques Paper’


‘It has been more than a year since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability. This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities. The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment. The paper is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself.’


‘The information has been provided by Andy Davis.
The original article can be found at: http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes


The check_heaps() vulnerability was mainly due to design issues and further exploitable due to the lack of memory protection support between processes. Many embedded system vendors still rely on choosing performance and speed over security. As more and more ‘intelligence’ is built into consume and commercial devices using embedded operating systems and software, the more significant these potential vulnerabilities may become. Therefore embedded systems vendors need to be aware of the potential attacks against their systems and the fact that many hackers are getting bored with researching traditional operating systems and are turning to embedded devices for a new challenge.’

Categories: Reviews