[Full-Disclosure] The Truth of the Recent Cisco Bug

From: security snot (booger_at_unixclan.net)
Date: 07/22/03

  • Next message: Person: "Re: [Full-Disclosure] The Truth of the Recent Cisco Bug" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 22 Jul 2003 08:16:37 -0700 (PDT)

    Hello all,

    I recently came across information that suggests that the much-hyped Cisco
    IOS bug is not only a denial-of-service, but allows the execution of
    arbitrary code on a vulnerable device. Apparently, this bug was first
    discovered by dvdman of l33tsecurity.com, and his team was able to
    remotely exploit it in two ways - one with specialized IOS shellcode, and
    one without. I would interpret this to mean that the second method
    (without shellcode) is simply the DoS.

    The following information comes from some BitchX.away file on some box I
    was pentesting, of which I cannot disclose the name due to the strict NDA
    I am under. Posting this information is likely a violation of said NDA,
    but it seems that it will serve the greater good of the internet community
    to fully understand the extent of this recent IOS issue, and to encourge
    you to immediately update your IOS firmware if you haven't yet - if you're
    one of those people thinking that you'll wait to patch because it's only a
    DoS, you're in for a shock. Remote exploits that allow the compromise of
    your router are apparently in circulation right now, and that is a bit
    more serious than a simple denial of service attack.

    23:05 <F9><ED><F9> gera [~gera@200.68.65.245] has joined <CENSORED>
    23:31 <superluck> lindo lo de lsd
    23:33 <gera> uh, ni hablar!
    23:35 <superluck> creo que tiene que ver algo un unc largo
    23:35 <superluck> o nose estoy viendo como puedo intentar buscalo
    23:44 <superluck> che gerta
    23:44 <superluck> gera
    23:45 <superluck> estan hablando de un bug GIGANTE
    23:45 <superluck> de ios
    00:00 <gera> uh, donde?!
    00:01 <superluck> http://www.sprint.net/maintview/index.cgi
    00:01 <superluck> mira esto y asustate
    00:04 <gera> juaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    00:05 <gera> quien te paso eso?
    00:08 <dvdman> the IOS exploit is getting funny now
    00:09 <dvdman> mass Emergency Maintenance
    00:20 <gera> and the best thing is how the bug can be easily exploited :-)
    00:21 <superluck> gera sabes algo?
    00:23 <gera> can't talk
    00:40 <dvdman> ya gera i know
    00:40 <dvdman> we wrote 2 exploits already
    00:40 <dvdman> the shellcode is hard though
    00:41 <gera> we who? mmm
    00:41 <gera> shellcode? nah, you blew it
    00:41 <dvdman> my little group
    00:41 <dvdman> two versions
    00:41 <dvdman> one with IOS shellcode
    00:41 <dvdman> one without
    00:41 <gera> :-)
    00:42 <superluck> when it got laked?
    00:42 <superluck> how the vendor find out?
    00:42 <dvdman> no idea
    00:42 <dvdman> supposedly
    00:42 <dvdman> a version of a exploit was written by a internal cisco
    00:42 <dvdman> worker
    00:42 <dvdman> all hear say
    00:42 <dvdman> I heard it will be released tommrow
    00:42 <dvdman> the exploit
    00:43 <superluck> by mike?
    00:43 <dvdman> I dont know who
    00:43 <dvdman> Just hear say
    00:44 <superluck> mm
    00:44 <superluck> when all of this happend?
    00:44 <superluck> what can you do with this vul?
    00:44 <dvdman> just wait and see
    00:45 <superluck> why wait?
    00:45 <dvdman> why not
    00:45 <superluck> why yes?
    00:46 <dvdman> hee
    00:46 <superluck> ijust want to know, what can you do to see how risky it
    is
    00:47 <dvdman> well
    00:47 <dvdman> hit up sprint/rcn and cisco.com
    00:47 <dvdman> and look at the maintence sched.
    00:47 <dvdman> then ask your self :)
    00:49 <superluck> where in cisco and where in rcn
    00:54 <gera> bk
    00:54 <gera> dvdman: I wonder how could you use a shellcode in that
    exploit if it doesn't lead to code execution
    00:54 <gera> erm... probably different bug? I don't think there are two
    big bugs in a row... but of course, heh, it may be
              possible
    00:54 <gera> anyway, what does your shellcode do? just give you a shell?
    01:06 <F9><ED><F9> SignOff superluck: <CENSORED> (Read error: Connection
    reset by peer)
    01:08 <F9><ED><F9> superluck [luck@200.63.130.16] has joined <CENSORED>
    01:32 <superluck> mm
    01:46 <F9><ED><F9> SignOff superluck: <CENSORED> (Ping timeout: no data
    for 245
    seconds)
    01:50 <F9><ED><F9> superluck [luck@200.63.129.185] has joined <CENSORED>
    02:16 <F9><ED><F9> SignOff gera: <CENSORED>

    After analyzing this log, it is also apparent that Cisco is aware of the
    severity of this issue, since an internal Cisco worker had written an
    exploit for this issue prior to the patch becoming available.

    Thankfully, dvdman did not divulge the details to what is apparently a
    complex exploitation scenario to this group of evildoers, as it is
    observed that he promptly becomes idle when this "gera" character attempts
    to get details on the matter from him.

    This could also all be hear say, but there seems to be enough credibility
    to the matter that I would definately take it seriously. dvdman is a
    respected member of the infosecurity / efnet world, and is trusted with
    "ops in nearly fifty channels, you can trust me" as he often states, and a
    former researcher for Secure Network Operations Software, LTD.

    Before details on the bug were publically disclosed, he knew it could be
    exploited without shellcode (the denial of service attack), and his team
    managed to come up with a method for exploiting it with specially crafted
    IOS shellcode. Since he knew the detail of the "denial of service attack"
    before that bit of information was public, I fully believe the rest of his
    claims to be the absolute truth, and beg of you all to quickly update your
    systems before a horrible worm is unleashed based off of
    l33tsecurity.com's private exploits for this bug.

    Thank you and have a good day.

    -security snot

    -----------------------------------------------------------
    "Whitehat by day, booger at night - I'm the security snot."
    - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
    -----------------------------------------------------------
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Person: "Re: [Full-Disclosure] The Truth of the Recent Cisco Bug"