[Dshield] Cisco 0wn3d??

Brian Dessent brian at dessent.net
Fri Aug 5 02:13:49 GMT 2005


Mark wrote:

> What is the general feeling regarding recent events? I
> received email from Cisco advising me that my account
> has been reset. I understand that there was an "issue"
> with their support server.

Their CCO portal issue is unrelated to the IOS shellcode presentation. 
Some people have theorized that the nasty response of Cisco lawyers to
people that mirrored the presentation slides angered and encouraged some
people to give the CCO site a look for potential XSS/SQL
injection/whatever attacks.  As far as I know that's just pure
conjecture and a result of bad timing.

> I did some googling and have seen a couple of
> whitepapers and videos of how to compromise a Cisco
> (we're talking posted on Aug 2) router using some
> older exploits. Given a lot of the buzz on NANOG,
> there seem to be many potentially exploitable routers
> out there.

The known vulnerabilites were silently fixed with IOS updates in April. 
Most of what was presented was probably an embryonic start of a
potential future exploit.  In other words, the specifics that he did
talk about have already been fixed, and he made it clear that there
still exist many impediments that make writing an actual usable exploit
very hard.  Still, it may have sparked some interest in some people's
minds where there was none before.  The amount of specialized knowledge
and access to hardware/software necessary to continue these lines of
development are significant though.

> hopefully assemble some IDS signatures based on
> "known" techniques.

I very much doubt that at this point in tume you can do anything with
IDS.  I guess you could scan for the malformed IPv6 packets that were
the source of the already-fixed vulnerability.  I didn't read the Cisco
advisory but I think you're only vulnerable if you have a live ipv6
interface.

Brian


More information about the list mailing list