[Dshield] The Holy Grail

Chris Brenton cbrenton at chrisbrenton.org
Mon Aug 1 19:59:17 GMT 2005


On Mon, 2005-08-01 at 15:01, Scott Melnick wrote:
>
> 2. While this one particular exploit was fixed, the main basis of the
> danger is still in IOS for future exploits.

There have been so many theatrics revolving around this episode, I think
many people have missed this point. Prior to this presentation, exploits
have revolved around DoSing the router. While there have been one or two
cases of remotely running code, they have been very specific to only a
certain version of IOS on only a certain router model. 

What Lynn has shown us is that its possible to create an exploit that
executes code remotely without needing to poke specific memory
registers. This means that remotely executing code is no longer
IOS/model specific, opening the door for these exploits to work on a
wider range or routers.

To go back to the original question, "Is there enough info for the
script kiddies", the answer is no. There is enough information for
someone who really knows what they are doing however. 

> At least that is what I
> gathered. This is what Cisco does not want us to know. It brings a new
> level of attack on Cisco products world wide, including a major
> percentage of the internet backbone itself.

Agreed, scary stuff. I believe Lynn used an exploit example where a
patch exists so his presentation would be relatively benign. That does
not mean the problem is solved however. We're still in nasty shape.

> How can you violate disclosure on something that is already out there?

Don't confuse a court order with reality. Both Cisco and ISS were
looking to put a gag order on this whole thing. With this in mind, they
need to present enough evidence to make it overwhelmingly look like they
are right. Tossing around phrases like "NDA violation" was (IMHO) a way
to get a judge's attention and get the paperwork they wanted. Doubt you
will ever see anything come of it.

> " "Cisco, you are really screwing up," she said, followed by a round of
> applause.

I think Cisco has figured this out and are now trying to do the right
thing. ISS on the other hand appears to not want to let it go.

> "Suing researchers is not going to make you secure. Alienating
> the security community is not going to encourage people to come to you
> and report problems and work with you." "

To me, this hits a point that is even worse than remotely executing code
on Cisco routers. In recent history we've had companies like Sybase,
Sygate and Oracle file legal paperwork to put a gag order on security
researchers. Now Cisco has joined in as well. This is *clearly* sending
a message that if your intend to release the info to the public you
should not approach the vendor first because you may get gaged. Better
to just post it on the net, let the vendor find out along with everyone
else and let them deal with the fall out.

I'm not saying this is the right thing to do. All I'm saying is that
anyone doing exploit research has to be thinking long and hard about
whether they want to give a vendor the ability to tie them up in court
over research they have performed.

HTH,
Chris









More information about the list mailing list