lecture: 1-day exploit development for Cisco IOS
Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.
On March 17th, Cisco Systems Inc. made a public announcement
that over 300 of the switches it manufactures are prone to a critical
vulnerability that allows a potential attacker to take full control of
the network equipment.
This damaging public announcement was preceded by Wikileaks'
publication of documents codenamed as "Vault 7" which contained
information on vulnerabilities and description of tools needed to access
phones, network equipment and even IOT devices.
Cisco Systems Inc. had a huge task in front of them - patching
this vast amount of different switch models is not an easy task. The
remediation for this vulnerability was available with the initial
advisory and patched versions of IOS software were announced on May 8th
I decided to reproduce the steps necessary to create a fully working tool to
get remote code execution on Cisco switches mentioned in the public announcement.
Another big vulnerability was disclosed in June 2017. This was a remote
code execution vulnerability in an SNMP service affecting multiple Cisco
routers and switches.
I will share the techniques and tools I used while researching vulnerable
Cisco switches and routers. Reverse engineering and debugging IOS under PowerPC
and MIPS architectures will be the focus of this talk.
We all heard about modern exploit mitigation techniques such as
Data Execution Prevention, Layout Randomization. But just how hardened
is the network equipment? And how hard is it to find critical
vulnerabilities in network devices?