[Full-Disclosure] The Truth of the Recent Cisco Bug
From: security snot (booger_at_unixclan.net)
To: firstname.lastname@example.org Date: Tue, 22 Jul 2003 08:16:37 -0700 (PDT)
I recently came across information that suggests that the much-hyped Cisco
IOS bug is not only a denial-of-service, but allows the execution of
arbitrary code on a vulnerable device. Apparently, this bug was first
discovered by dvdman of l33tsecurity.com, and his team was able to
remotely exploit it in two ways - one with specialized IOS shellcode, and
one without. I would interpret this to mean that the second method
(without shellcode) is simply the DoS.
The following information comes from some BitchX.away file on some box I
was pentesting, of which I cannot disclose the name due to the strict NDA
I am under. Posting this information is likely a violation of said NDA,
but it seems that it will serve the greater good of the internet community
to fully understand the extent of this recent IOS issue, and to encourge
you to immediately update your IOS firmware if you haven't yet - if you're
one of those people thinking that you'll wait to patch because it's only a
DoS, you're in for a shock. Remote exploits that allow the compromise of
your router are apparently in circulation right now, and that is a bit
more serious than a simple denial of service attack.
23:05 <F9><ED><F9> gera [~email@example.com] has joined <CENSORED>
23:31 <superluck> lindo lo de lsd
23:33 <gera> uh, ni hablar!
23:35 <superluck> creo que tiene que ver algo un unc largo
23:35 <superluck> o nose estoy viendo como puedo intentar buscalo
23:44 <superluck> che gerta
23:44 <superluck> gera
23:45 <superluck> estan hablando de un bug GIGANTE
23:45 <superluck> de ios
00:00 <gera> uh, donde?!
00:01 <superluck> http://www.sprint.net/maintview/index.cgi
00:01 <superluck> mira esto y asustate
00:04 <gera> juaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
00:05 <gera> quien te paso eso?
00:08 <dvdman> the IOS exploit is getting funny now
00:09 <dvdman> mass Emergency Maintenance
00:20 <gera> and the best thing is how the bug can be easily exploited :-)
00:21 <superluck> gera sabes algo?
00:23 <gera> can't talk
00:40 <dvdman> ya gera i know
00:40 <dvdman> we wrote 2 exploits already
00:40 <dvdman> the shellcode is hard though
00:41 <gera> we who? mmm
00:41 <gera> shellcode? nah, you blew it
00:41 <dvdman> my little group
00:41 <dvdman> two versions
00:41 <dvdman> one with IOS shellcode
00:41 <dvdman> one without
00:41 <gera> :-)
00:42 <superluck> when it got laked?
00:42 <superluck> how the vendor find out?
00:42 <dvdman> no idea
00:42 <dvdman> supposedly
00:42 <dvdman> a version of a exploit was written by a internal cisco
00:42 <dvdman> worker
00:42 <dvdman> all hear say
00:42 <dvdman> I heard it will be released tommrow
00:42 <dvdman> the exploit
00:43 <superluck> by mike?
00:43 <dvdman> I dont know who
00:43 <dvdman> Just hear say
00:44 <superluck> mm
00:44 <superluck> when all of this happend?
00:44 <superluck> what can you do with this vul?
00:44 <dvdman> just wait and see
00:45 <superluck> why wait?
00:45 <dvdman> why not
00:45 <superluck> why yes?
00:46 <dvdman> hee
00:46 <superluck> ijust want to know, what can you do to see how risky it
00:47 <dvdman> well
00:47 <dvdman> hit up sprint/rcn and cisco.com
00:47 <dvdman> and look at the maintence sched.
00:47 <dvdman> then ask your self :)
00:49 <superluck> where in cisco and where in rcn
00:54 <gera> bk
00:54 <gera> dvdman: I wonder how could you use a shellcode in that
exploit if it doesn't lead to code execution
00:54 <gera> erm... probably different bug? I don't think there are two
big bugs in a row... but of course, heh, it may be
00:54 <gera> anyway, what does your shellcode do? just give you a shell?
01:06 <F9><ED><F9> SignOff superluck: <CENSORED> (Read error: Connection
reset by peer)
01:08 <F9><ED><F9> superluck [firstname.lastname@example.org] has joined <CENSORED>
01:32 <superluck> mm
01:46 <F9><ED><F9> SignOff superluck: <CENSORED> (Ping timeout: no data
01:50 <F9><ED><F9> superluck [email@example.com] has joined <CENSORED>
02:16 <F9><ED><F9> SignOff gera: <CENSORED>
After analyzing this log, it is also apparent that Cisco is aware of the
severity of this issue, since an internal Cisco worker had written an
exploit for this issue prior to the patch becoming available.
Thankfully, dvdman did not divulge the details to what is apparently a
complex exploitation scenario to this group of evildoers, as it is
observed that he promptly becomes idle when this "gera" character attempts
to get details on the matter from him.
This could also all be hear say, but there seems to be enough credibility
to the matter that I would definately take it seriously. dvdman is a
respected member of the infosecurity / efnet world, and is trusted with
"ops in nearly fifty channels, you can trust me" as he often states, and a
former researcher for Secure Network Operations Software, LTD.
Before details on the bug were publically disclosed, he knew it could be
exploited without shellcode (the denial of service attack), and his team
managed to come up with a method for exploiting it with specially crafted
IOS shellcode. Since he knew the detail of the "denial of service attack"
before that bit of information was public, I fully believe the rest of his
claims to be the absolute truth, and beg of you all to quickly update your
systems before a horrible worm is unleashed based off of
l33tsecurity.com's private exploits for this bug.
Thank you and have a good day.
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
Full-Disclosure - We believe in it.