Reply to comment

Why attacking Cisco IOS?

• 92% market share for routers above 1500$
• 71% market share enterprise switch market

Juniper:

• from both attacker and forensics point of view Juniper is just a FreeBSD

Well known bugs:

• Configuration problems (Weak passwords, weak SNMP communities, posting your config on Internet forums)
• Access check vuln (Ciscos HTTP level 16++ vuln, SNMPv3 HMAC verification vuln, Debianized SSH keys)
• Queuing bugs (DoS)

Binary exploitation

• Service Vuln (Phenoelits TFTP exploit, Phenoelits HTTP exploit, Andy DAvix FTP exploit)
• Protocol exploits

Crashinfo - If the exploit failed you might get a crashinfo file

Binary exploits do (bin modification of the runtime image, data structure patching)

Inside IOS:

• one large ELF binary
• statically liked Unix program
• loaded by rommon
• runs directly on the routers main cpu
• processes are rather like threads
• system wide global data structures
• run to completion-cooperative multitasking

Challenges with IOS:

• Every IOS image is compiled individually
• over 100000 IOS images used in the wild (around 15000 officially supported)
• challenge with IOS is combinatory explosion of platform, IOS version , feature set, ...

Detecting Exploits:

Attack:
Using ROMMON to execute code via the network :) the demo prints a textmessage to the IOS VTY which was sent via a single ICMP packet ... WOW :)

Links: Cisco Incident Response - CIR Online Service, Phenoelit, CCC-Event Ankündigung, Heise Bericht