--== P H E N O E L I T ==--
____ _______ _____ _______
____ ____ / /__ __/ __ ___ ______ / /______/__ __/ ______
/ / / / / / / -*-/ \_/ // / / / / / / -*- / __ /
/ / / / / / / __ / /\_// // __ / / /\ \ __ / / / __ / / / /
/ /__/ / /____/ / / // / / // / / / / / / / / / / / / / / / /_/ /
/__________/______/_/ /_//_/ /_//_/ /_/ /_/ /_/_/ /_/ /_/ /_/ /_____/
|
A remote Cisco IOS exploit
[Download
|Tutorial
|DEF CON X Slides
|Black Hat Slides
|License
]
+++UPDATE+++
In contrast to what was said before on this topic, there are stack based overflows
in Cisco IOS. One of them is the HTTP stack vulnerability
(Cisco security notice here), which can be exploited stable using the UDP echo
memory leak described here.
Grab the stuff from the download section.
Rant
Until a man is twenty-five, he still thinks, every so often, that under the right
circumstances he could be the best hacker in the world. If I moved to a
hacking monastery in Europe and studied real hard for ten years or so. If I
reverse engineered every fucking piece of server software on the planet. If I
stole the source code of every operating system available.
I used to feel that way, too, but then ran into certain people. In a way,
this is liberating. I no longer have to worry about trying to be the best
hacker in the world. The position is taken. The crowning touch, the one thing
that really puts true worldclass besthackerdom totally out of reach, of course,
is presented at Black Hat. But well, we show up there anyway.
FX
Wording stolen from Neal Stephenson's "Snow Crash"
Introduction
When trying to write exploits for IOS, you can be pretty sure that whatever you
do, the whole system will crash at one time or another. Compared to classic
daemon exploitation, this does not leave much room for playing around.
According to Cisco Systems own statement, most bugs in IOS are actually heap
problems of one kind or another. Therefore, the following method should help
the interested researcher to find ways of exploitation. We are not pretending
that this will always work and there could be much more simple ways of doing
it - but that's how it works for us.
The Basics
As normal, you need something that overwrites a buffer. There might be ways
to deal with off-by-ones and other stuff, but buffer overflows are most
common.
Your buffer is probably stored on the heap in IOS. The heap is organized in
all kinds of fuzzy ways we don't really know about. The one thing that
matters are the heap blocks. These are obviously organized in a doubly-linked
list:
+--------------+
| BLOCK A |
+--------------+
| BLOCK B |
+--------------+
| BLOCK C |
+--------------+
So, if you overflow a block (BLOCK B), you can write to BLOCK C. Now, BLOCK C
can contain anything and exploitation would really depend on that. But, every
block contains some management information, which is stored inline.
This is how the header looks like in detail:
|<- 32 bit ->|
+--------------+
| MAGIC |
+--------------+
| PID |
+--------------+
| Somestuff |
+--------------+
| Somestuff |
+--------------+
| Somestuff |
+--------------+
| NEXT BLOCK |
+--------------+
| PREV BLOCK |
+--------------+
| BLOCK SIZE |
+--------------+
| some ref |
+--------------+
| DATA |
| |
....
| |
+--------------+
| RED ZONE |
+--------------+
For the most part, the fields titled "Somestuff" are not checked by IOS, so
the only thing you don't want to have in there is 0x00.
Some others are required to have certain values:
- MAGIC has to be 0xAB1234CD
- RED ZONE has to be 0xFD0110DF
- NEXT BLOCK is a pointer and my point to the next block in the list
- PREV BLOCK is a pointer and has to point to the previous block in
the list (actually to the NEXT pointer in the previous block), which can be
real difficult
- BLOCK SIZE's MSB (most significant bit) tells IOS, if the block is used
or not.
Since the PREV PTR is actually checked real closely, we can not do the
normal pointer exchange game. But by placing the destination address in NEXT,
we could overflow up to that point and write an uncontrolled value (PREV)
at the address NEXT points to.
A free block in IOS has some more overhead. After the normal header, you
find:
|<- 32 bit ->|
+--------------+
| MAGIC2 |
+--------------+
| Somestuff |
+--------------+
| PADDING |
+--------------+
| PADDING |
+--------------+
| FREE NEXT |
+--------------+
| FREE PREV |
+--------------+
And here comes the good news: None of these two pointers are checked, when
the block before this one is free()d. So, we can put two values in here - one
for the destination and the other one being the desired 4-byte number and
write arbitrary data to arbitrary memory addresses. But since this is a
pointer exchange, the data in both fields has to contain valid memory
addresses.
The rest is text book exploitation with some little hassles. We will bring
you a tutorial shortly - so long, you can check the example exploit in the
download section or check the presentations from Black Hat Briefings 2002 in
Las Vegas and DefCon X.