[ insider_reports_insider ]
Cisco, ISS, And The Lynn Conundrum
David Utter
Staff Writer
2005-08-04
 Insider Reports RSS Feed
It started as a proposed presentation for the Black Hat security conference in Las Vegas, and turned into a call to arms for the hacker community.
 | | Cisco, ISS, And The Lynn Conundrum |  |
Take control of a Cisco router, and the rest of the Internet could follow. But getting that control was supposed to be impossible. A 35-slide presentation discussed in some detail, with an accompanying demonstration, how that could indeed happen.
The presentation looks like any other PowerPoint presentation you've had to leaf through while waiting for another meeting to end. It's been rendered in full color, and will look very professional once it's been printed out on some decent paper stock.
"The Holy Grail. Cisco IOS Shellcode And Exploitation Techniques," says the front page. "Michael Lynn, Internet Security Systems." On page 2, the words "Another Unbreakable System" appear above a picture of a sinking Titanic.
Ho ho, so much for unbreakable, we find as we read on. Mr. Lynn lists some common conceptions about router security, then turns them into misconceptions on the next page, and all the pages that follow.
Cisco knew this presentation was coming. And until about a week before the Las Vegas conference, there didn't seem to be a problem. But then, Cisco felt The Fear creeping in and strangling Shareholder Value in its bed.
Cisco told Mr. Lynn and his employer, Internet Security Systems, the presentation could not be presented. According to a Wired News interview with Mr. Lynn, Cisco wanted to wait a year to disclose the problem; that would give them time to release an updated version of their Internetworking Operating System.
When Cisco started pushing the issue, Mr. Lynn was asked by ISS to change his talk to a different topic. Cisco threatened Mr. Lynn and the Black Hat conference organizers with legal action. Representatives from Cisco went to Vegas and spent hours ripping printouts of the presentation from the conference's book.
Then, as they like to say in paperbacks, several things happened at once. Mr. Lynn resigned from ISS, gave his presentation as is, and was promptly sued by Cisco for violating its intellectual property. Since Mr. Lynn had to reverse engineer the IOS code, at his now-former employer's request, Cisco claimed the research derived from that work was an infringement.
The specific flaw Mr. Lynn used to perform his magic had been patched back in April. But a future flaw could allow for the same hacking wizardry he demonstrated to take place. From his presentation, here is what could happen if a new flaw could be exploited to allow for control of a Cisco router:
1. Get Execution
2. Clean Up What We Broke
3. Spawn Process
4. Allocate And Setup TTY
5. Make Connect-Back TCB
6. Start Shell
7. Kill Logger Process
8. Exit Initial Process
9. World Domination
The world domination bit may not come into play. Mr. Lynn notes in his presentation that Cisco is working on the issue, and users who keep their firmware images up to date will probably be fine.
Meanwhile, Cisco has taken a huge PR hit. On the private side, Cisco representatives may be facing some very uncomfortable questions. Certain government agencies may be asking those questions.
Mr. Lynn claims in the Wired interview that he met a few "three-letter" agency types after the presentation. They congratulated him on the talk. One agent, ostensibly with the Air Force Office of Special Investigations, gave him a challenge coin. I doubt a Cisco rep will be receiving one.
Cisco may as well have made a deal with Akamai to distribute the presentation online. A search for the slides turned up a pristine PDF copy in roughly the time it took to type this sentence. A web site crack forced Cisco to reset passwords for everyone with an account on cisco.com. Even though that intrusion most likely came through a flaw in the web application rather than a problem in Cisco's hardware, it was still embarrassing for the company.
Mr. Lynn went on with his presentation, quitting his job in the process, and claimed he did so because of a public need-to-know about the potential problem. Cisco equipment handles an uncountable number of Internet communications continually.
Maybe he is a hero here. Maybe not. But you can't unring a bell, and Cisco can't get all those copies of the presentation off the Net. It's time to get patching, and maybe put a call in to a Cisco rep for a little chat, and perhaps a discussion about discounting next year's support contract.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
