|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: No sellout. was: RE: [Dailydave] Lynn / Cisco shellcode
From: I)ruid (druid
caughq.org)
Date: Tue Aug 02 2005 - 16:26:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 2005-08-02 at 18:14 -0300, Holden Williamson wrote:
> > I think the major issues that Mike brought to light that most
> > experienced people walked away from the presentation with
> > (me included) were that there are ways to fool IOS's check_heaps
> > function which preemptively reboots the device if something is
> > amiss (usually thwarting most exploit attempts) and that the
>
> Didn't FXPhenoelit already cover this a year ago or more? If I
> remember correctly he described the whole process as "basic
> exploitation with a few tricky things".
Yes, to an extent, but he didn't go into what the tricky things were, or
how to handle them, and at the time (presumably) no one outside of Cisco
knew about the virtualized process features of upcoming IOS versions.
Mike referenced FX's research multiple times during the presentation and
even had an entire slide dedicated to FX's research, making it well
known that his research was an extension of the work already done by FX.
> And if your exploits are primitive enough that they can't work around
> not knowing exactly hard-coded where in memory they're aiming at with
> their write4 then .... OH I get it. People are happy because suddenly
> those with quasi-zero technical exploitation ability can write
> exploits for Cisco hardware. Makes sense now.
Exactly. I think the example Mike used during the presentation was that
with the upcoming versions of IOS you could potentially write a small,
effective worm that will work across all IOS versions with the new
features, whereas if you were to try to write a worm today, it would
have to include the addresses for every version of IOS you wanted the
worm to be able to attack, which since they currently change with every
build of the software, would make one hell of a big worm. Essentially,
his point was that you could probably detect and squelch the worm's
attack before it was even able to transfer itself to the system to be
executed after exploiting the bug used to get in.
--
I)ruid, C˛ISSP
druidcaughq.org
http://druid.caughq.org
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]