[Dshield] Cisco 0wn3d??

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 5 05:06:48 GMT 2005


On Thu, 04 Aug 2005 19:13:49 PDT, Brian Dessent said:

> The known vulnerabilites were silently fixed with IOS updates in April.

Correct.
 
> Most of what was presented was probably an embryonic start of a
> potential future exploit.  In other words, the specifics that he did
> talk about have already been fixed, and he made it clear that there
> still exist many impediments that make writing an actual usable exploit
> very hard.  Still, it may have sparked some interest in some people's
> minds where there was none before.

The best way to think of this is to consider it the IOS version of
Solar Designer's "Smashing the stack for fun and profit".  The *really*
big news was that it showed the infrastructure a successful exploit
would need to use once you got a vulnerability targeted.

>                                    The amount of specialized knowledge
> and access to hardware/software necessary to continue these lines of
> development are significant though.

Quite frankly, this is bullshit. Access to hardware and software is easy.

http://search.ebay.com/cisco-2501

A 2501 will run you all of $10 to $30 - shipping will be almost as much as
the purchase price.

http://www.cisco.com/en/US/products/hw/routers/ps233/products_field_notice09186a00800942ca.shtml

And when it shows up, it may have an IOS 12.2(1) image in the flash.

Given the hardware and software at that entry point price, and Lynn's talk as a
guideline, the knowledge will happen quickly enough.

> I very much doubt that at this point in tume you can do anything with
> IDS.  I guess you could scan for the malformed IPv6 packets that were
> the source of the already-fixed vulnerability.  I didn't read the Cisco
> advisory but I think you're only vulnerable if you have a live ipv6
> interface.

For some IOS versions, ipv6 is there by default, and you're vulnerable unless
you went and issued 'no ipv6 enable' and 'no ipv6 address'....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050805/b198cfc9/attachment.bin


More information about the list mailing list