Halvar, Please let me clarify some misconceptions currently being spread by the Cisco "media machine": All three techniques demonstrated in the videos are shellcode payloads written in PowerPC assembly language (for the Cisco 2600 series routers). They are being demonstrated from within gdb rather than as the payloads to actual exploits. ANY Cisco IOS vulnerability that can result in arbitrary code execution (heap/stack overflow etc.) can potentially be exploited using any of these three exploits payloads. Furthermore, if an IOS vulnerability is being exploited: - console access is NOT required - the enable password is NOT required - the debugger does NOT need to be enabled An example of a remote memory corruption vulnerability, which may potentially be able to be exploited using these payloads is the IOS LPD remote stack overflow vulnerability (http://www.irmplc.com/index.php/155-Advisory-024) that we released earlier today. We should be releasing hi-res versions of the videos at some stage in the next 24 hours at http://www.irmplc.com/index.php/153-Embedded-Systems-Security. I hope that makes things a bit clearer for everyone Cheers, Andy -----Original Message----- From: Halvar Flake [mailto:halvar.flake@xxxxxxxxxxxxxxxxxx] Sent: 11 October 2007 20:25 To: Gaus; bugtraq@xxxxxxxxxxxxxxxxx Cc: gaus@xxxxxxxxx Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques So in short, they are demonstrating that * IF you have console access * AND the enable password * AND you enable the debugger you can execute code ? So all in all, it's a complete non-issue ? Cheers, Halvar
