25C3: Reliable exploits for Cisco routers
In his 25C3 presentation on Cisco IOS attack and defense, Felix "FX" Lindner of Phenoelit gave the first public presentation of a technique for reliably exploiting buffer overflows in Cisco routers.
The problem with attacks on Cisco routers is that the system images used are so different that each device is virtually unique. That means that exploitable code and essential functions are always held at different addresses, so the Cisco exploits published up to now really only work on the demo system they were built for and not on arbitrary systems running in the wild.
However, FX's presentation outlined an exploit technique that uses fragments of code from the ROMMON, the boot loader that loads IOS, the Cisco operating system, on system start-up. ROMMON is always positioned at constant addresses at the bottom end of memory and there are only a few different versions of ROMMON.
FX then showed how a known vulnerability could be exploited, using a single ping packet, to get the Cisco router to send text. As he then explained, this technique can easily be used to inject the more complex code required for an attack.
FX said his research on this topic was motivated by the need to identify just what it is that the forensic and analytical tools he is developing have to look for in order to discover injected malicious code. He said routers are such rewarding targets that attacks must be expected from organised criminals and secret services, who could already have such techniques in their repertoire.