| Virus
Warnings / Patches |
Risk |
Virus
Name |
Date
Discoverd |
|
|
It started as a proposed presentation for the Black Hat security conference in
Las Vegas, and turned into a call to arms for the hacker community.
Take control of a Cisco router, and the rest of the Internet could follow. But
getting that control was supposed to be impossible. A 35-slide presentation discussed
in some detail, with an accompanying demonstration, how that could indeed happen.
The presentation looks like any other PowerPoint presentation you've had to leaf
through while waiting for another meeting to end. It's been rendered in full color,
and will look very professional once it's been printed out on some decent paper
stock.
 "The
Holy Grail. Cisco IOS Shellcode And Exploitation Techniques," says the front page.
"Michael Lynn, Internet Security Systems." On page 2, the words "Another Unbreakable
System" appear above a picture of a sinking Titanic.
Ho ho, so much for unbreakable, we find as we read on. Mr. Lynn lists some common
conceptions about router security, then turns them into misconceptions on the
next page, and all the pages that follow.
Cisco knew this presentation was coming. And until about a week before the Las
Vegas conference, there didn't seem to be a problem. But then, Cisco felt The
Fear creeping in and strangling Shareholder Value in its bed.
Cisco told Mr. Lynn and his employer, Internet Security Systems, the presentation
could not be presented. According to a Wired News interview with Mr. Lynn, Cisco
wanted to wait a year to disclose the problem; that would give them time to release
an updated version of their Internetworking Operating System.
When Cisco started pushing the issue, Mr. Lynn was asked by ISS to change his
talk to a different topic. Cisco threatened Mr. Lynn and the Black Hat conference
organizers with legal action. Representatives from Cisco went to Vegas and spent
hours ripping printouts of the presentation from the conference's book.
Then, as they like to say in paperbacks, several things happened at once. Mr.
Lynn resigned from ISS, gave his presentation as is, and was promptly sued by
Cisco for violating its intellectual property. Since Mr. Lynn had to reverse engineer
the IOS code, at his now-former employer's request, Cisco claimed the research
derived from that work was an infringement.
The specific flaw Mr. Lynn used to perform his magic had been patched back in
April. But a future flaw could allow for the same hacking wizardry he demonstrated
to take place. From his presentation, here is what could happen if a new flaw
could be exploited to allow for control of a Cisco router:
1. Get Execution
2. Clean Up What We Broke
3. Spawn Process
4. Allocate And Setup TTY
5. Make Connect-Back TCB
6. Start Shell
7. Kill Logger Process
8. Exit Initial Process
9. World Domination
The world domination bit may not come into play. Mr. Lynn notes in his presentation
that Cisco is working on the issue, and users who keep their firmware images up
to date will probably be fine.
Meanwhile, Cisco has taken a huge PR hit. On the private side, Cisco representatives
may be facing some very uncomfortable questions. Certain government agencies may
be asking those questions.
 Mr.
Lynn claims in the Wired interview that he met a few "three-letter" agency types
after the presentation. They congratulated him on the talk. One agent, ostensibly
with the Air Force Office of Special Investigations, gave him a challenge coin.
I doubt a Cisco rep will be receiving one.
Cisco may as well have made a deal with Akamai to distribute the presentation
online. A search for the slides turned up a pristine PDF copy in roughly the time
it took to type this sentence. A web site crack forced Cisco to reset passwords
for everyone with an account on cisco.com. Even though that intrusion most likely
came through a flaw in the web application rather than a problem in Cisco's hardware,
it was still embarrassing for the company.
Mr. Lynn went on with his presentation, quitting his job in the process, and claimed
he did so because of a public need-to-know about the potential problem. Cisco
equipment handles an uncountable number of Internet communications continually.
Maybe he is a hero here. Maybe not. But you can't unring a bell, and Cisco can't
get all those copies of the presentation off the Net. It's time to get patching,
and maybe put a call in to a Cisco rep for a little chat, and perhaps a discussion
about discounting next year's support contract.
About
the Author:
David Utter is a business and technology writer with WebProNews. |
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
