Cisco IOS Exploitation Techniques
by Gyan Chawdhary - Thursday, 28 June 2007.
It's been almost two years since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability.

This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities.

The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment.

The material is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself.

Download the article in PDF format here.

Spotlight

Travel smart: Tips for staying secure on the road

Whether you're taking a personal holiday or a business trip, traveling by car or by plane, planning a quick jaunt or preparing for an extended stay, make sure your security best practices are coming along for the ride.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Tue, May 26th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //