Hello all, I recently came across information that suggests that the much-hyped Cisco IOS bug is not only a denial-of-service, but allows the execution of arbitrary code on a vulnerable device. Apparently, this bug was first discovered by dvdman of l33tsecurity.com, and his team was able to remotely exploit it in two ways - one with specialized IOS shellcode, and one without. I would interpret this to mean that the second method (without shellcode) is simply the DoS.
The following information comes from some BitchX.away file on some box I was pentesting, of which I cannot disclose the name due to the strict NDA I am under. Posting this information is likely a violation of said NDA, but it seems that it will serve the greater good of the internet community to fully understand the extent of this recent IOS issue, and to encourge you to immediately update your IOS firmware if you haven't yet - if you're one of those people thinking that you'll wait to patch because it's only a DoS, you're in for a shock. Remote exploits that allow the compromise of your router are apparently in circulation right now, and that is a bit more serious than a simple denial of service attack. 23:05 <F9><ED><F9> gera [EMAIL PROTECTED] has joined <CENSORED> 23:31 <superluck> lindo lo de lsd 23:33 <gera> uh, ni hablar! 23:35 <superluck> creo que tiene que ver algo un unc largo 23:35 <superluck> o nose estoy viendo como puedo intentar buscalo 23:44 <superluck> che gerta 23:44 <superluck> gera 23:45 <superluck> estan hablando de un bug GIGANTE 23:45 <superluck> de ios 00:00 <gera> uh, donde?! 00:01 <superluck> http://www.sprint.net/maintview/index.cgi 00:01 <superluck> mira esto y asustate 00:04 <gera> juaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 00:05 <gera> quien te paso eso? 00:08 <dvdman> the IOS exploit is getting funny now 00:09 <dvdman> mass Emergency Maintenance 00:20 <gera> and the best thing is how the bug can be easily exploited :-) 00:21 <superluck> gera sabes algo? 00:23 <gera> can't talk 00:40 <dvdman> ya gera i know 00:40 <dvdman> we wrote 2 exploits already 00:40 <dvdman> the shellcode is hard though 00:41 <gera> we who? mmm 00:41 <gera> shellcode? nah, you blew it 00:41 <dvdman> my little group 00:41 <dvdman> two versions 00:41 <dvdman> one with IOS shellcode 00:41 <dvdman> one without 00:41 <gera> :-) 00:42 <superluck> when it got laked? 00:42 <superluck> how the vendor find out? 00:42 <dvdman> no idea 00:42 <dvdman> supposedly 00:42 <dvdman> a version of a exploit was written by a internal cisco 00:42 <dvdman> worker 00:42 <dvdman> all hear say 00:42 <dvdman> I heard it will be released tommrow 00:42 <dvdman> the exploit 00:43 <superluck> by mike? 00:43 <dvdman> I dont know who 00:43 <dvdman> Just hear say 00:44 <superluck> mm 00:44 <superluck> when all of this happend? 00:44 <superluck> what can you do with this vul? 00:44 <dvdman> just wait and see 00:45 <superluck> why wait? 00:45 <dvdman> why not 00:45 <superluck> why yes? 00:46 <dvdman> hee 00:46 <superluck> ijust want to know, what can you do to see how risky it is 00:47 <dvdman> well 00:47 <dvdman> hit up sprint/rcn and cisco.com 00:47 <dvdman> and look at the maintence sched. 00:47 <dvdman> then ask your self :) 00:49 <superluck> where in cisco and where in rcn 00:54 <gera> bk 00:54 <gera> dvdman: I wonder how could you use a shellcode in that exploit if it doesn't lead to code execution 00:54 <gera> erm... probably different bug? I don't think there are two big bugs in a row... but of course, heh, it may be possible 00:54 <gera> anyway, what does your shellcode do? just give you a shell? 01:06 <F9><ED><F9> SignOff superluck: <CENSORED> (Read error: Connection reset by peer) 01:08 <F9><ED><F9> superluck [EMAIL PROTECTED] has joined <CENSORED> 01:32 <superluck> mm 01:46 <F9><ED><F9> SignOff superluck: <CENSORED> (Ping timeout: no data for 245 seconds) 01:50 <F9><ED><F9> superluck [EMAIL PROTECTED] has joined <CENSORED> 02:16 <F9><ED><F9> SignOff gera: <CENSORED> After analyzing this log, it is also apparent that Cisco is aware of the severity of this issue, since an internal Cisco worker had written an exploit for this issue prior to the patch becoming available. Thankfully, dvdman did not divulge the details to what is apparently a complex exploitation scenario to this group of evildoers, as it is observed that he promptly becomes idle when this "gera" character attempts to get details on the matter from him. This could also all be hear say, but there seems to be enough credibility to the matter that I would definately take it seriously. dvdman is a respected member of the infosecurity / efnet world, and is trusted with "ops in nearly fifty channels, you can trust me" as he often states, and a former researcher for Secure Network Operations Software, LTD. Before details on the bug were publically disclosed, he knew it could be exploited without shellcode (the denial of service attack), and his team managed to come up with a method for exploiting it with specially crafted IOS shellcode. Since he knew the detail of the "denial of service attack" before that bit of information was public, I fully believe the rest of his claims to be the absolute truth, and beg of you all to quickly update your systems before a horrible worm is unleashed based off of l33tsecurity.com's private exploits for this bug. Thank you and have a good day. -security snot ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html