no one is safe ...

Cisco IOS attacks and defense

Why attacking Cisco IOS?

  • 92% market share for routers above 1500$
  • 71% market share enterprise switch market


  • from both attacker and forensics point of view Juniper is just a FreeBSD

IOS exploit dev. begins to make commercial sense ;)

Well known bugs:

  • Configuration problems (Weak passwords, weak SNMP communities, posting your config on Internet forums)
  • Access check vuln (Ciscos HTTP level 16++ vuln, SNMPv3 HMAC verification vuln, Debianized SSH keys)
  • Queuing bugs (DoS)

Binary exploitation

  • Service Vuln (Phenoelits TFTP exploit, Phenoelits HTTP exploit, Andy DAvix FTP exploit)
  • Protocol exploits

Crashinfo - If the exploit failed you might get a crashinfo file

Binary exploits do (bin modification of the runtime image, data structure patching)

Inside IOS:

  • one large ELF binary
  • statically liked Unix program
  • loaded by rommon
  • runs directly on the routers main cpu
  • processes are rather like threads
  • system wide global data structures
  • run to completion-cooperative multitasking

Challenges with IOS:

  • Every IOS image is compiled individually
  • over 100000 IOS images used in the wild (around 15000 officially supported)
  • challenge with IOS is combinatory explosion of platform, IOS version , feature set, ...

Detecting Exploits:

Using ROMMON to execute code via the network :) the demo prints a textmessage to the IOS VTY which was sent via a single ICMP packet ... WOW :)

Links: Cisco Incident Response - CIR Online Service, Phenoelit, CCC-Event Ankündigung, Heise Bericht