Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Edge, Ronald D]

>> Kohl's owns the Internet?
>> Kohl's reserves the right to read my email I send my mom just because
>> it's on the Internet?
...
>The legal precedent for this is essentially "He who onws the network, 
>owns the data" (with respect to an employee/employeer relationship). 
>It's a bit different for commercial ISPs.

>If your mom works at Kohls, don't email her there unless you want it 
>read (unless you PGP/gnuPG it). Then again, they could just have
Spector 
>installed on the PC to capture screenshots/keystrokes of her at her 
>"company computer" (also completely legal).

>~Mike.

Because of legal issues for corporations, both private and public, 
this is expanding even to phones. New policy here at IU effective
July 1 states that all staff using cell phones must buy their own
devices and service provider contracts. They will receive a flat 
monthly supplemental stipend (I get $75.00/mo, I have a Blackberry
that communicates with a BES server as well as phone service) to 
defray the costs of the use of their service for IU business.

It is general knowledge that one of the prime motivators for this
policy is to remove phone call content and logs from the various
laws that cover public information and its disclosure under open 
access laws covering public institutions.

Same is rapidly being applied to email. Over the past few years 
I have migrated 98% of my personal email, including all that has
anything to do with my business interests, consulting, etc. that
are not related to my primary employment, to my own email server 
and accounts I run off site, in order to shield them from any and
all possible exposure/legal consequences.

Any business owns full rights over the email services they offer
their employees to do their job with. Bottom line.

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics
[EMAIL PROTECTED] (812)855-9010
http://iuhoosiers.com

"When nothing seems to help, I go and look at a stonecutter hammering
away 
at his rock perhaps 100 times without as much as a crack showing in it. 
Yet at the 101st blow, it will split in two, and I know it was not that 
blow that did it, but all that had gone before."


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Thierry Zoller]

Dear  David Chastain,

DC> Has anyone heard of Proof-of-Concept material
DC> out of DEFCON on the CISCO fiasco?
No, as far as I know they didn't go far, maybe the black&white ball
somehow distracted them, or maybe it simply was the fact that not much
poeple understand cisco ios the way lynn does? who knows.

I think FX wasn't at Defcon this year (at least I didn't see him)
based on the work he did (ultimate ratio) i believe he should be able
to replicate easily. (imho)

-- 
Thierry Zoller
mailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Mon, 1 Aug 2005, John Kinsella wrote:

> Hate having to explain a joke, but...
>

perhaps it wasn't tainted eith enough irony or cynasim and sarcasim?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[David Chastain]

Has anyone heard of Proof-of-Concept material out of DEFCON on the CISCO fiasco?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[bkfsec]

Micheal Espinola Jr wrote:


persuasion by possible threat of action/retaliation is still
persuasion.  


Yeah yeah yeah... and a sword is just a knife.

Technically, you're correct -- coercion is a form of persuasion.  
However, coercion is not all forms of persuasion, and that is the 
distinction that Steve was trying to make.  Coercion is to persuasion as 
a sword is to a knife.


Is one a subset of the other?  Sort of...

Are they used for the same thing?  Not at all... unless you cut butter 
with a sword, that is.



You aren't forced to do it.  Children world-wide are
taught right from wrong under this edict.

 

Personally, I buy the argument that we definately do make choices in all 
regards... there's never not a choice.  However, as most general rules 
go, when applied to reality your results may vary.


Coercion forces someone's hand.  Let's take an example...

Someone sees you walking somewhere (I don't know.. to the store, 
perhaps...) and you're on the same side of the street that they're on.  
Something about you offends them and one of two scenarios happen:


1. The offended person says "Walk on the other side of the street."

2. The offended person either brandishes a gun in your face and says 
"Get on the other side of the street or you're dead!" or threatens to 
call the police on you.


In which scenario are you more likely to cross the street?

I don't know about you, but if someone just tells me to do something, 
I'm not terribly inclined to do it.  Why be put out of my way for the 
exclusive gain of a stranger?  Why should my rights be impinged upon 
because of someone else's oddness?


However, in the second example, I'd be more inclined to cross the street 
for the simple fact that crossing the street causes me less grief than 
being shot or dealing with someone making false accusations.


Coercion changes the nature of your choices.  All choices are not 
equal.  Any argument that they are, frankly, disregards reality.



Your gun violence comparison is a bit over the top.

 

Not at all.  If Lynn is subjected to criminal prosecution, the gunpoint 
analogy will be entirely valid.


-Barry

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[bkfsec]

Michael Holstein wrote:

 
You bet! .. as it pertains to anything past their demarc at their 
properties, they're entirely free to log and review every packet that 
comes/goes.


That means they can legally review your IM chats, go back and read 
your email from a month ago, whatever ...


The legal precedent for this is essentially "He who onws the network, 
owns the data" (with respect to an employee/employeer relationship). 
It's a bit different for commercial ISPs.




(Disclaimer: I'm not a lawyer)

Actually, it's even a bit more complicated than that.  Technically, you 
could copyright every e-mail sent to this list.  As long as you state 
that it is copyright to your legal name, it is, in fact, copyrighted.  
Of course, in the case that you send that e-mail to a public mailing 
list that you know is archived, it can clearly be argued that your work 
was intended to be distributed with license implied for all.  However, 
that doesn't remove ownership and limited monopoly.


It's not just that they're commercial ISPs versus private networks... 
what also matters is who's writing the material and what function 
they're serving when they write that material.  If you're working at XYZ 
Corp and you send out an e-mail, depending on your business arangement 
that e-mail is probably copyrighted to XYZ Corp by default since you're 
acting as an agent of XYZ Corp. 

What makes it possible for us to examine any data which comes in contact 
with our networks is, essentially, fair use.  If someone transmits a 
copy of MS Windows XP across my network, do I own the packets that make 
it up?  Of course not... if that were true it would be possible to 
circumvent every copyright out there.  However, since that data was 
transmitted across my network, it's fair use for me to analyze it as it 
resides on my property.  This is particularly true if transmission was 
not instigated by the one doing the monitoring.


Sure, the company may own the databases that any packet captures may be 
on... but the content in those packet captures may still carry copyright 
requirements with it, depending on what it is and how constructable the 
data is.  Non-solicited transfer may be considered providing a limited 
license...


What happens in the event that mass numbers of copyrighted data 
including packets get misrouted?  I have no idea. :)


In either case, boiler plate restriction statements on e-mail sent to 
mailing lists is silly because it is almost definately unenforcable.


   -Barry


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

Wiretap Act doesn't apply to stored electronic communications.


Nor does it apply to those in realtime on privately owned networks (most 
of the Internet is privately-owned).


He who owns the network, owns the data which traverses it.

I believe this is the citation in question (1st District court of appeals) :

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

 > Kohl's owns the Internet?

Kohl's reserves the right to read my email I send my mom just because
it's on the Internet?


You bet! .. as it pertains to anything past their demarc at their 
properties, they're entirely free to log and review every packet that 
comes/goes.


That means they can legally review your IM chats, go back and read your 
email from a month ago, whatever ...


The legal precedent for this is essentially "He who onws the network, 
owns the data" (with respect to an employee/employeer relationship). 
It's a bit different for commercial ISPs.


If your mom works at Kohls, don't email her there unless you want it 
read (unless you PGP/gnuPG it). Then again, they could just have Spector 
installed on the PC to capture screenshots/keystrokes of her at her 
"company computer" (also completely legal).


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Mon, 01 Aug 2005 13:37:34 -1000, Jason Coombs said:
> Technica Forensis wrote:
> >>CAUTION:
> >>Internet and e-mail communications are Kohl's property and Kohl's reserves 
> >>the 
> >>right to retrieve and read any message created, sent and received.
   The crucial word ---^^^

> > Kohl's reserves the right to read my email I send my mom just because
> > it's on the Internet?
> > 
> > maybe you should go reread the wiretap act.
> 
> Wiretap Act doesn't apply to stored electronic communications.
> 
> Kohl's owns all of those communications, whether stored temporarily in 
> RAM or stored persistently to a hard drive.

Kohl's may indeed have some rights regarding *their* messages.  However,
their disclaimer (hopefully inadvertently) talks about "any" message, not
just "any Kohl's message"

I've seen stupider disclaimers, but this one is right up there.. 

Of course, if I were an opposing attorney, this sticking of "may contain
confidential information" on stuff posted to worldwide public mailing lists
could be a gold mine - obviously the company has *not a clue* what mail actually
has such info in it.  If obviously public mail has a broken inapplicable
disclaimer on it, maybe that other piece of mail I want to subpoena that has
the same exact disclaimer on it isn't in fact privileged either



pgpEQzyXhGJKk.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

> > can someone send me the famous Cisco IOS Shellcode Presentation ??
> > please..
> > my mail is [EMAIL PROTECTED]

WTF?  Just what kind of lazy, stupid, IGNORANT motherfucker are you?  Go
spend 15 seconds of YOUR OWN FUCKING TIME, and FETCH IT YOURSELF.

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


I like the idea of belief in drug-prohibition as a religion in that it is
a strongly held belief based on grossly insufficient evidence and
bolstered by faith born of intuitions flowing from the very beliefs they
are intended to support.

don zweig, M.D.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ivan C]

you can find it here
http://www.cryptome.org/


On 8/1/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> hi to all
> 
> can someone send me the famous Cisco IOS Shellcode Presentation ??
> please..
> my mail is [EMAIL PROTECTED]
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Technica Forensis wrote:

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received.  



Kohl's owns the Internet?  
Kohl's reserves the right to read my email I send my mom just because

it's on the Internet?

maybe you should go reread the wiretap act.


Wiretap Act doesn't apply to stored electronic communications.

Kohl's owns all of those communications, whether stored temporarily in 
RAM or stored persistently to a hard drive.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Technica Forensis]

> CAUTION:
> Internet and e-mail communications are Kohl's property and Kohl's reserves 
> the 
> right to retrieve and read any message created, sent and received.  

Kohl's owns the Internet?  
Kohl's reserves the right to read my email I send my mom just because
it's on the Internet?

maybe you should go reread the wiretap act.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Andre Ludwig]

anyone got the new cindy_nip_slip.rar with that blurry nip slip?

OMFG d00d itz 2lm0st lik3 sh3 1z da [EMAIL PROTECTED]

anyone getting a K:D ratio of 75%??  Damn my new razer mouse is
p0wning with an awp...

Anyone got links to the l33t chinese h4x0rz websites? 

D to da motha fuckin r  to da 3 beotches



On 8/1/05, John Kinsella <[EMAIL PROTECTED]> wrote:
> Hate having to explain a joke, but...
> 
> It's a usenet joke referring to "me too!" lamers.  Search Google Groups.
> 
> John
> 
> On Mon, Aug 01, 2005 at 10:45:04AM -0500, milw0rm Inc. wrote:
> > You must actually be on the Cindy Crawford mailing list then?  lmfao.
> >
> > /str0ke
> >
> > On 8/1/05, John Kinsella <[EMAIL PROTECTED]> wrote:
> > > This is getting like the Cindy Crawford mailing list...
> > >
> > > On Mon, Aug 01, 2005 at 03:55:02PM +0300, [EMAIL PROTECTED] wrote:
> > > > hi to all
> > > >
> > > > can someone send me the famous Cisco IOS Shellcode Presentation ??
> > > > please..
> > > > my mail is [EMAIL PROTECTED]
> > > >
> > > >
> > > >
> > > > ___
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

[EMAIL PROTECTED] wrote:
It occurs to me that your solution is flawed as well.  What assurance do 
we have that your "protected storage" is future-proof (i.e. unbreachable 
by an means whatsoever)?


It doesn't have to be unbreachable by any means whatsoever, it has to be 
unbreachable from a remote location. This is easy to accomplish by not 
connecting the protected storage to a network interface.


The box can still be owned by an attacker who gains physical access to 
the device, but so what? The protected storage will never be owned by a 
JPEG and the CPU will never ignore its built-in machine code 
authentication logic because it would not be implemented in software or 
firmware.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[John Kinsella]

Hate having to explain a joke, but...

It's a usenet joke referring to "me too!" lamers.  Search Google Groups.

John

On Mon, Aug 01, 2005 at 10:45:04AM -0500, milw0rm Inc. wrote:
> You must actually be on the Cindy Crawford mailing list then?  lmfao.
> 
> /str0ke
> 
> On 8/1/05, John Kinsella <[EMAIL PROTECTED]> wrote:
> > This is getting like the Cindy Crawford mailing list...
> > 
> > On Mon, Aug 01, 2005 at 03:55:02PM +0300, [EMAIL PROTECTED] wrote:
> > > hi to all
> > >
> > > can someone send me the famous Cisco IOS Shellcode Presentation ??
> > > please..
> > > my mail is [EMAIL PROTECTED]
> > >
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[milw0rm Inc.]

You must actually be on the Cindy Crawford mailing list then?  lmfao.

/str0ke

On 8/1/05, John Kinsella <[EMAIL PROTECTED]> wrote:
> This is getting like the Cindy Crawford mailing list...
> 
> On Mon, Aug 01, 2005 at 03:55:02PM +0300, [EMAIL PROTECTED] wrote:
> > hi to all
> >
> > can someone send me the famous Cisco IOS Shellcode Presentation ??
> > please..
> > my mail is [EMAIL PROTECTED]
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Bart . Lansing]

[EMAIL PROTECTED] wrote on 07/29/2005 09:28:31 PM:

> [EMAIL PROTECTED] wrote:
> > On Fri, 29 Jul 2005 15:02:51 -1000, Jason Coombs said:
> >>redesign, fundamentally, the turing machine so that before each 
> >>operation is performed a verification step is employed to ensure that 
> > 
> > Ahem. No.  You *can't* "ensure" it (although you *can* do things like 
bounds
> > checking to *minimize* issues).
> > 
> > It's called the Turing Halting Problem
> 
> 
> We're not talking about proving/disproving the result of computation 
> here, we're talking about a simple logical step inserted prior to 
> transmission of operating instructions and data to a turing machine.
> 
> It does not invoke the Turing Halting Problem to ask the question 
> "should the following opcode be sent to the CPU / should the opcode be 
> read from memory and acted upon" ?
> 
> The simplest solution is to duplicate the machine code, placing one copy 

> in a protected storage and requiring the CPU to confirm that both the 
> active/RAM-resident copy and the protected storage copy match before 
> proceeding with computation.
> 
> This is superior to simply reading machine code from a protected storage 

> because the point is that malicious arbitrary code that overwrites or 
> reprograms or inserts itself into the runtime memory space of an active 
> process would easily defeat a volatile copy of a non-volatile protected 
> storage image of some machine code. Only by requiring the CPU to perform 

> a validation of each opcode instruction but allowing the CPU to continue 

> to behave in all other respects as it behaves today does the protection 
> arise. Other approaches are possible, but the basic idea of a separate 
> supply of bits useful for the runtime authentication of opcodes remains 
> the same.
> 
> Turing has nothing to say on this subject because he never contemplated 
> it, to the best of my knowledge. Turing never tried to defend against 
> buffer overflows back in the 1930s, yet people invoke him as a sage 
> unerring philosopher of our time. Why?
> 
> Regards,
> 
> Jason Coombs
> [EMAIL PROTECTED]
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Pardon my intrusion (or don't, either way...)

It occurs to me that your solution is flawed as well.  What assurance do 
we have that your "protected storage" is future-proof (i.e. unbreachable 
by an means whatsoever)?  Assuming it is not, you'll need to be prepared 
to have the "protected storage" verify itself against the "really 
protected storage", which has validated itself against the "exceptionally 
well looked after" storage, which was tested against the "superbly vaulted 
super-secret storage"...ad nauseum...before you can send instructions to 
the cpu with any absolute guarantee that the code it wants to run is 
legit.  As the ability to break into/compromise your vaulted storage and 
its children improves, one can logically project a situation where your 
proposed system is burning far more cycles validating itself than it can 
possibly spend doing its job.

Jason, et al, I appreciate that from a theoretical standpoint I am wildly 
out of my depth...but the underlying flaw in the logic of your premise has 
nothing to do with the technologies and everything to do with your basic 
assumptions. 


CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of 
the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify 
us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the 
right to retrieve and read any message created, sent and received.  Kohl's 
reserves the right to monitor messages by authorized Kohl's Associates at any 
time
without any further consent.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[John Kinsella]

This is getting like the Cindy Crawford mailing list...

On Mon, Aug 01, 2005 at 03:55:02PM +0300, [EMAIL PROTECTED] wrote:
> hi to all
> 
> can someone send me the famous Cisco IOS Shellcode Presentation ??
> please..
> my mail is [EMAIL PROTECTED]
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[milw0rm Inc.]

http://www.milw0rm.com/sploits/lynn-cisco.pdf

/str0ke

On 8/1/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> you didn't search a lot , do you know of google ? because I'm not
> sure fd is owning the searching market :>
> 
> http://www.google.com/search?hl=en&lr=&q=lynn+cisco+pdf
> 
> 
> At 14:55 01/08/05, [EMAIL PROTECTED] wrote:
> >hi to all
> >
> >can someone send me the famous Cisco IOS Shellcode Presentation ??
> >please..
> >my mail is [EMAIL PROTECTED]
> >
> >
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> KEY: 0xA7C69C5F
> PRINT: 694C 3495 BCC4 2F8B D794  6BD4 AF8B 457B A7C6 9C5F
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2rc2 (MingW32)
> 
> iQIVAwUBQu4fQK+LRXunxpxfAQK7VxAAmfSu2sLCkazkcqhLM6d5bpPGDjwQpudB
> JY4NVxJZzpyCpiSDBt4j9Pwyxvn7IQRJVwt1knypyGMESWTWeYUNYZrx1YZ1z3Ep
> +B+dY7u924FMNLiATkH7j6yWpjTD9rllmDOQxVFQ13GJRPN+noKKaaY6FvqA320s
> UyVUw6DBa6cO37TgnJgv0t4GuWSh4hVb6sevc9/0v6djdY8yc3pmPYckuIuJaFWL
> EYPmTS/K53AywL0+xgveubKzHwn1oDAoPzaH2KyiLxeXEaieyVDMAfSDAIxznNm1
> d11YvmJTU7bWWwIVw2B+wbySWfMxxjYN/wVaT6FV46VK60Mw70r6E2Uo9jboGc8F
> DgvUB2KocMEyoCAbf9vom0TkHsgw096JGBD7tNuikrNIKFDfiJg4Jhi3ne1+dE8j
> 1JZyLZJNXLGKyn9rV2qremAU4W/Gf534L4u3hrACTiiQjmW1sP0o+Yw8bxIxuXYy
> pdur3DRlnaB44Sa/RXcd72BWSdkMpIYRw2l2swSUc7HVz1eqH5Tx5kPsSwUv2xCn
> HmrjnnQCo8pZOesfrRvhvLNbaC1CD37B/Bw73R/vfHaiN1y6UURZX4pYEjsQlt82
> tkT2l2wI1f2kURX0wjnrF3C2cMypU08aEYxN4sOmThI/BetxD4sr5zrCAdj4kBRY
> zMnx0BqVYdo=
> =VD5+
> -END PGP SIGNATURE-
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

you didn't search a lot , do you know of google ? because I'm not 
sure fd is owning the searching market :>


http://www.google.com/search?hl=en&lr=&q=lynn+cisco+pdf


At 14:55 01/08/05, [EMAIL PROTECTED] wrote:

hi to all

can someone send me the famous Cisco IOS Shellcode Presentation ??
please..
my mail is [EMAIL PROTECTED]



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




KEY: 0xA7C69C5F
PRINT: 694C 3495 BCC4 2F8B D794  6BD4 AF8B 457B A7C6 9C5F


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQu4fQK+LRXunxpxfAQK7VxAAmfSu2sLCkazkcqhLM6d5bpPGDjwQpudB
JY4NVxJZzpyCpiSDBt4j9Pwyxvn7IQRJVwt1knypyGMESWTWeYUNYZrx1YZ1z3Ep
+B+dY7u924FMNLiATkH7j6yWpjTD9rllmDOQxVFQ13GJRPN+noKKaaY6FvqA320s
UyVUw6DBa6cO37TgnJgv0t4GuWSh4hVb6sevc9/0v6djdY8yc3pmPYckuIuJaFWL
EYPmTS/K53AywL0+xgveubKzHwn1oDAoPzaH2KyiLxeXEaieyVDMAfSDAIxznNm1
d11YvmJTU7bWWwIVw2B+wbySWfMxxjYN/wVaT6FV46VK60Mw70r6E2Uo9jboGc8F
DgvUB2KocMEyoCAbf9vom0TkHsgw096JGBD7tNuikrNIKFDfiJg4Jhi3ne1+dE8j
1JZyLZJNXLGKyn9rV2qremAU4W/Gf534L4u3hrACTiiQjmW1sP0o+Yw8bxIxuXYy
pdur3DRlnaB44Sa/RXcd72BWSdkMpIYRw2l2swSUc7HVz1eqH5Tx5kPsSwUv2xCn
HmrjnnQCo8pZOesfrRvhvLNbaC1CD37B/Bw73R/vfHaiN1y6UURZX4pYEjsQlt82
tkT2l2wI1f2kURX0wjnrF3C2cMypU08aEYxN4sOmThI/BetxD4sr5zrCAdj4kBRY
zMnx0BqVYdo=
=VD5+
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Sat, 30 Jul 2005, Micheal Espinola Jr wrote:

> It was Lynn's choice based on his statement to the press - and it was
> still his choice no matter what the coercion might have been.
>
> Larry had no right to take take that choice away, and I doubt anyone
> here has the right nor the first-hand knowledge in order to pass
> judgement on the reasons for Lynn's choice.
>
> Based on Lynn's statements his motivation was patriotic.  Who are we
> to judge that was not his intent for his intellectual property?
>


I made no judgement about Lynn or the choices he may or may have made of
his own free will, did I?  If so where did I make such judgements  in my
post?  I merely questioned how "free" his choices were after deciding that
his employer was not going to stop him from pushing this information to
the masses.  Seems to me that his "freely" made recent choices were
influenced, I think that is easy to read into the events as they have
progressed, do you not also?


> I ask you, how do you know it wasn't?
>





Thanks,

Ron DuFresne

> On 7/29/05, Ron DuFresne <[EMAIL PROTECTED]> wrote:
> > On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:
> >
> > > That was a real dickhead thing to do.  The guy that wrote that made an
> > > agreement with Cisco of his own free will.  Who do you think you are
> > > to go against an agreement he made, with his own information?
> > >
> > > I sincerely hope it bites you in the arse.
> > >
> >
> > Was it free will, or the threat of jail and other difficulties?
> >
> > Afterall, employment was not a show stopper for him, he quit to release
> > his findings and gain glory in the crowds at hacker fests.  so was it
> > really free will I ask again?
> >
> > Thanks,
> >
> > Ron DuFresne
> > --
> > "Sometimes you get the blues because your baby leaves you. Sometimes you 
> > get'em
> > 'cause she comes back." --B.B. King
> >***testing, only testing, and damn good at it too!***
> >
> > OK, so you're a Ph.D.  Just don't touch anything.
> >
> >
> >
>
>
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

persuasion by possible threat of action/retaliation is still
persuasion.  You aren't forced to do it.  Children world-wide are
taught right from wrong under this edict.

Given Lynn's statements to the press regarding his reasons to
cooperate, who's to say the level of coercion applied or required?

Your gun violence comparison is a bit over the top.


On 7/30/05, Steve Friedl <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 30, 2005 at 05:16:15PM -0400, Micheal Espinola Jr wrote:
> > Coercion is simply influence.  You can be coerced into a choice, but
> > its still your choice - regardless if people like it or not.
> 
> This obliterates any distinction between "coercion" and "persuasion",
> so why bother to have separate words? When you claim that "I have a gun
> to your head" is the same as "pretty please with sugar on top", you
> mark yourself as having a stunning poverty of perspective.
> 
> Steve
> 
> ---
> Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
> www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Sat, Jul 30, 2005 at 05:16:15PM -0400, Micheal Espinola Jr wrote:
> Coercion is simply influence.  You can be coerced into a choice, but
> its still your choice - regardless if people like it or not.

This obliterates any distinction between "coercion" and "persuasion",
so why bother to have separate words? When you claim that "I have a gun
to your head" is the same as "pretty please with sugar on top", you
mark yourself as having a stunning poverty of perspective.

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

Coercion is simply influence.  You can be coerced into a choice, but
its still your choice - regardless if people like it or not.

On 7/30/05, Steve Friedl <[EMAIL PROTECTED]> wrote:
> On Sat, Jul 30, 2005 at 12:53:49PM -0400, Micheal Espinola Jr wrote:
> > It was Lynn's choice based on his statement to the press - and it was
> > still his choice no matter what the coercion might have been.
> 
> This is a strange conflation of "choice" and "coercion"; most thoughtful
> people consider some level of the latter obliterating the former.
> 
> Steve
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Sat, Jul 30, 2005 at 12:53:49PM -0400, Micheal Espinola Jr wrote:
> It was Lynn's choice based on his statement to the press - and it was
> still his choice no matter what the coercion might have been.

This is a strange conflation of "choice" and "coercion"; most thoughtful
people consider some level of the latter obliterating the former.

Steve

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

It was Lynn's choice based on his statement to the press - and it was
still his choice no matter what the coercion might have been.

Larry had no right to take take that choice away, and I doubt anyone
here has the right nor the first-hand knowledge in order to pass
judgement on the reasons for Lynn's choice.

Based on Lynn's statements his motivation was patriotic.  Who are we
to judge that was not his intent for his intellectual property?

I ask you, how do you know it wasn't?

On 7/29/05, Ron DuFresne <[EMAIL PROTECTED]> wrote:
> On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:
> 
> > That was a real dickhead thing to do.  The guy that wrote that made an
> > agreement with Cisco of his own free will.  Who do you think you are
> > to go against an agreement he made, with his own information?
> >
> > I sincerely hope it bites you in the arse.
> >
> 
> Was it free will, or the threat of jail and other difficulties?
> 
> Afterall, employment was not a show stopper for him, he quit to release
> his findings and gain glory in the crowds at hacker fests.  so was it
> really free will I ask again?
> 
> Thanks,
> 
> Ron DuFresne
> --
> "Sometimes you get the blues because your baby leaves you. Sometimes you 
> get'em
> 'cause she comes back." --B.B. King
>***testing, only testing, and damn good at it too!***
> 
> OK, so you're a Ph.D.  Just don't touch anything.
> 
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Geo.]

> Anyhow, as for Cisco's DJ's spinning "it's only an IPv6 thing you can all
> go home now...", isn't it humorous to see that IPv6 is supposed to be
> "that much more secure". Obviously I wouldn't believe Cisco when they
> state its IPv6 based only don't get me wrong, it's funny to see spin.

A few points.

1) Lynn was put onto this from something he found on a Chinese hacking site.
He hasn't actually said he invented this technique has he?

2) IPv6 is fairly common in Asia, isn't it? The "it's not an issue because
nobody uses IPv6" is a US centric viewpoint.

3) Cisco slipstreamed the patch and did a stealth release. The actual
advisory wasn't released until Lynn did his presentation.

4) If it's such a "who cares" type thing, why did Cisco try to snuff it out?
Obviously Cisco's spin and actions don't match here.

5) given the above, is it possible that this bug and possibly this technique
of getting root on routers was being used to spy on people? Remember back in
the late 90's when some ISP in McLean VA "accidentally" rerouted half of
Europe thru their network which just happens to be where the CIA
headquarters are?

http://news.com.com/Router+glitch+cuts+Net+access/2100-1033_3-279235.html

This type of exploit would appear to me to be exactly the type of useful
thing that intelligence services would love. Look at the facts, you could
tunnel smtp and/or http traffic thru anywhere you wanted leaving icmp
traffic passing the normal routes so that a traceroute shows nothing
suspicious. Could you ask for more?

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[lsi]

> Just store the program in a frikking *ROM*, and disallow execution of
> opcodes from RAM.  It's called a Harvard architecture.

The problem with this will be speed, will it not?  It could be cached 
into RAM - but then it would be modifiable ... 

I also have a query relating to the assertion by Lynn that worms 
would be difficult to make, because different firmware has different 
offsets.  Surely this would be as simple as looping though a list:

if (firmware == x) { attackstring = ABC }
elseif (firmware == y) {attackstring = DEF }
elseif (firmware == z) {attackstring = GHI }
...
etc

Finally, I note from the narrative on tomsnetworking that while the 
presentation did not describe exactly how to make an attack script 
that gets root, it nonetheless showed off exactly that.  "At the 
beginning of his talk, Michael Lynn connected to a Cisco router, ran 
his shell script and obtained the "enable" prompt." [1]  

I thus conclude it's only a matter of time before an "autorooter" is 
developed for use against a wide variety of routers.

The window of vulnerability, which is at least three weeks old, 
opened wide on the 27th, and remains so.  No amount of legal 
posturing by anybody can change this.

[1] http://www.tomsnetworking.com/Sections-article131-page4.php

---
Stuart Udall
stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Pavel Kankovsky]

On Fri, 29 Jul 2005, Frank Knobbe wrote:

> That means that the once thought-to-be-invulnerable boxes running IOS
> are in fact as vulnerable as a Windows boxes. Once you get process
> control, you can do whatever you like.

Hmm...the fact Cisco uses general purpose CPUs (e.g. PowerPC 4xx) in their
box has been shamelessly announced by "show version" for years. Perhaps
they should sue themselves?

The presentation is nice but it does not reveal nothing you cannot find 
out yourself with a Cisco box to play with and a little bit of ingenuity.

But I can understand why they make so much fuss about it. Lynn told the 
people the emperor wears no clothes. Emperors always freak out whan it 
happens.

> (What is TCB anyway? Certainly not Trusted Computing Base :)

No. It's Transmission Control Block. See RFC 793 "Transmission Control
Protocol".

"I don't know what this stands for, and neither did the people at Cisco I
spoke with", esp. the 2nd part, is something I find rather unbelievable.
Perhaps Lynn did not talk to the right people at Cisco. Or perhaps Cisco
has already finished its transformation to the modern kind of bussines and
got rid of anyone with a clue?

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 16:28:31 -1000, Jason Coombs said:

> We're not talking about proving/disproving the result of computation 
> here, we're talking about a simple logical step inserted prior to 
> transmission of operating instructions and data to a turing machine.

> It does not invoke the Turing Halting Problem to ask the question 
> "should the following opcode be sent to the CPU / should the opcode be 
> read from memory and acted upon" ?

Actually, it does.  Consider if the opcode is the one that moves the one
byte into an apparently innocuous location that eventually causes a program
malfunction. Remember the ntpd exploit? That started as a one-byte overlay ;)

LOADR7,DATA

Move the contents of the storage location 'DATA' to R7.  Should it do it?
It seems reasonable, right?

What if the *entire* code looks like:

LOADR7,DATA
LOADR3,FOO
LOADR9,OTHER
TESTR9,23   Is it 23?
BNE AROUND  If not, go around
DIVIDE  R3,R7   If it was 23, divide R3 by R7..
AROUND  ...

Have a nice divide-by-zero, on the house, complements of Alan Turing.  You
certainly can't suggest that the DIVIDE do the checking - because that's the
operation that will finally detect the problem *ANYHOW*.  So where do you want
to flag it? When R9 is loaded? When R3 is? When R7 is?  When the program failed
to check for non-zero before it *stored* into DATA?

(And that one is only a few opcodes away - I once had the thrill of chasing
down a bug that didn't cause a problem on one system, and only caused a problem
on another after an intervening 6 million malloc() calls had allocated 200M
more heap. And even then, it was data dependent and only failed sometimes)

But yeah - hardware can check for that, no problem... ;)

> The simplest solution is to duplicate the machine code, placing one copy 
> in a protected storage and requiring the CPU to confirm that both the 
> active/RAM-resident copy and the protected storage copy match before 
> proceeding with computation.

Just store the program in a frikking *ROM*, and disallow execution of
opcodes from RAM.  It's called a Harvard architecture.

It can still be buggy and exploitable (although a lot harder - you're
essentially restricted to return-to-libc style attacks).

> Turing has nothing to say on this subject because he never contemplated 
> it, to the best of my knowledge. Turing never tried to defend against 
> buffer overflows back in the 1930s, yet people invoke him as a sage 
> unerring philosopher of our time. Why?

Actually, Turing didn't try to defend against buffer overflows because he was
busy working on much more subtle attacks.

Why do people invoke him as a sage?  Because he pointed out the very basic 
issues
of "data as programs" and "programs as data" that cause us so many problems 
today.
For instance, if you understood what Turing was talking about, you'd have been
able to just *know* that Javascript was going to be a continual source of
security headaches (how many Javascript bugs were because somebody didn't keep
straight if something was "code" or "data"?).

Or why Microsoft Word macros can be viruses, even though Word documents are
usually thought of as "data" - the problem is that the macro is allowed to be
introspective (and of course, a Word macro that *isn't* allowed to be 
introspective
is just *useless*.. ;)

But no, other than that, Turing didn't have a *clue* :)





pgpGNq8vK8qgE.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

[EMAIL PROTECTED] wrote:

On Fri, 29 Jul 2005 15:02:51 -1000, Jason Coombs said:
redesign, fundamentally, the turing machine so that before each 
operation is performed a verification step is employed to ensure that 


Ahem. No.  You *can't* "ensure" it (although you *can* do things like bounds
checking to *minimize* issues).

It's called the Turing Halting Problem



We're not talking about proving/disproving the result of computation 
here, we're talking about a simple logical step inserted prior to 
transmission of operating instructions and data to a turing machine.


It does not invoke the Turing Halting Problem to ask the question 
"should the following opcode be sent to the CPU / should the opcode be 
read from memory and acted upon" ?


The simplest solution is to duplicate the machine code, placing one copy 
in a protected storage and requiring the CPU to confirm that both the 
active/RAM-resident copy and the protected storage copy match before 
proceeding with computation.


This is superior to simply reading machine code from a protected storage 
because the point is that malicious arbitrary code that overwrites or 
reprograms or inserts itself into the runtime memory space of an active 
process would easily defeat a volatile copy of a non-volatile protected 
storage image of some machine code. Only by requiring the CPU to perform 
a validation of each opcode instruction but allowing the CPU to continue 
to behave in all other respects as it behaves today does the protection 
arise. Other approaches are possible, but the basic idea of a separate 
supply of bits useful for the runtime authentication of opcodes remains 
the same.


Turing has nothing to say on this subject because he never contemplated 
it, to the best of my knowledge. Turing never tried to defend against 
buffer overflows back in the 1930s, yet people invoke him as a sage 
unerring philosopher of our time. Why?


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 15:02:51 -1000, Jason Coombs said:

> There are any number of technical solutions that one could use to 
> redesign, fundamentally, the turing machine so that before each 
> operation is performed a verification step is employed to ensure that 
> the operation is the correct one in the correct sequence given prior 
> configuration settings loaded into memory at the time the device was 
> activated.

Ahem. No.  You *can't* "ensure" it (although you *can* do things like bounds
checking to *minimize* issues).

It's called the Turing Halting Problem, and in fact, the 'Turing machine' was
invented specifically to (a) show the problem for that simple architecture, and
then (b) show that all Turing-equivalent systems have the exact same problem.


pgpVKt69MLbQd.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[Rodrigo Gutierrez]

The beers today will be in your name ..

Regards

Rodrigo.-

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Larry
Blumenthal
Enviado el: Viernes, 29 de Julio de 2005 11:07
Para: full-disclosure@lists.grok.org.uk
Asunto: [Full-disclosure] Cisco IOS Shellcode Presentation

Information wants to be free. 

Time to free it! 

Fuck Cisco! 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

J.A. Terranson wrote:

Also, that Cisco must fix was not the point of my argument.  I was trying
to point out that Jason's basic premise that this was a grossly negligent
act by Cisco is pure fiction.


Not at all -- you're simply constraining the discussion to all known 
CPUs and I'm referring to the duty that a company like Cisco obviously 
has to make a better mousetrap if they intend to sell it to millions of 
people and coax billions of people to rely on the devices.


There are any number of technical solutions that one could use to 
redesign, fundamentally, the turing machine so that before each 
operation is performed a verification step is employed to ensure that 
the operation is the correct one in the correct sequence given prior 
configuration settings loaded into memory at the time the device was 
activated.


Store the necessary security profile, which could very well be just 
another copy of the entire machine code, in a separate memory that can 
be accessed in parallel and used solely to verify that the operation 
about to be performed matches the operation that is supposed to be 
performed. Require a physical act by the owner of the device to populate 
the security profile data storage so that it cannot be automated through 
the execution of code, and you enable both the software 
reprogrammability of the computing device and the non-programmability 
feature that provides the proper security safeguard.


This is a very high-level explanation, to be sure, but there's no reason 
not to redesign the CPU if you're Cisco. Or if you're Microsoft, or 
Intel, or AMD, for that matter.


CPUs are unnecessarily-insecure by design, as a result of people running 
around saying that you just can't change the way that a turing machine 
operates. That's what's pure fiction. Turing machines don't need to be 
allowed to operate in a vacuum, they can be sanity-checked at runtime if 
anyone cares to do so.


I am not suggesting that such CPUs exist today, only that they should 
and that a company like Cisco knows this very well and chooses not to 
undertake this engineering challenge, presumably because it would cut 
into profits.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

On Fri, 29 Jul 2005 [EMAIL PROTECTED] wrote:

> or go with some exotic
> architecture like Intel's  iAXP432(*) or the IBM S/38, which are both "tagged"
> architectures, but hardly qualify as "general purpose".

S/38 (aka IBM's Future Program) was both a great idea, and every bit a
"general purpose processor".  Why it never caught on I never fully
understood.  Honestly, I hadn't thought of the tagged processors when I
answered Jason's rant - I was merely thinking of separated data and code,
but really, S38 would have been the right "final" answer.

You get the Gold Star :-)

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

On Fri, 29 Jul 2005, Frank Knobbe wrote:

> On Fri, 2005-07-29 at 18:57 -0500, J.A. Terranson wrote:
> > They fucked up.  They'll have to fix it then.  But thats not the same
> as
> > the gross negligence they're being accused of.
>
> I'm not sure that can fix that. Unless they add canaries to the stack
> and include other OpenBSD style W^X type checks.

Those are one option (one I don't like BTW).  Actually, I was alluding to
the Harvard Architecture.  But however they choose to do it, they'll
either have to fix it or suffer the financial consequences.  What they
*can't* do is put the genie back into the bottle - that particular genie
is getting gray hairs now!

Also, that Cisco must fix was not the point of my argument.  I was trying
to point out that Jaosn's basic premise that this was a grossly negligent
act by Cisco is pure fiction.

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Andrew R. Reiter]

On Fri, 29 Jul 2005, Frank Knobbe wrote:

:On Fri, 2005-07-29 at 18:57 -0500, J.A. Terranson wrote:
:> They fucked up.  They'll have to fix it then.  But thats not the same
:as
:> the gross negligence they're being accused of.
:
:I'm not sure that can fix that. Unless they add canaries to the stack
:and include other OpenBSD style W^X type checks. I mean, it's the same
:problem any OS that uses stacks faces. It's just that we now begin to
:see how things are laid out in IOS and gain information about its
:routines, how it works, and how to bypass watchdogs and such.

If you watched the presentation or have looked at anything Cisco IOS 
related, you'd know that stack usage is quite limited and, if I recall, 
they do have a canary-esque implementation.

:
:Cisco just has to be more careful with vulnerabilities now since they
:can be exploited better :)
:
:Cheers,
:Frank
:
:
:-- 
:Shame on Cisco. Double-Shame on ISS.
:
:

--
Andrew R. Reiter
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 18:57:15 CDT, "J.A. Terranson" said:

> This has nothing to do with the choice of "a general purpose CPU", it is a
> result of a specific architecture within the CPU chosen.  There is a real
> difference here.

Actually, although I've flamed Jason quite a bit, he *is* right in that the use
of *any* general purpose processor implies these sorts of vulnerabilities. The
*exact* results depend on things like the ABI they chose to use.  However,
saying "If they had used a different stack layout or different procedure call
conventions, none of this would have happened" is disingenuous. If you have an
ABI on anything we'd consider a "general purpose CPU", you have these same
*classes* of vulnerabilities.  The only way you can get rid of them is either to
not use a CPU at all (the FPGA/ASIC solution), or go with some exotic
architecture like Intel's  iAXP432(*) or the IBM S/38, which are both "tagged"
architectures, but hardly qualify as "general purpose".

Given the other choices, I can hardly say Cisco is guilty of *negligence*.
(On the other hand, if they used the word 'Unbreakable' to describe their
product, false advertising may be an issue.. ;)

(*) OK, so the 432 wasn't *really* able to provide much more than a hardware
implementation of Pascal-style type checking - the hidden 'gotcha' is that
it's fiendishly difficult to do operating system level coding on any sort
of B&D processor, because you can't typecast easily - and things like IOS
are almost entirely operating system level stuff...  In addition, you get
the performance penalties of hardware type checking)





pgpbJc03BDtKa.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Frank Knobbe]

On Fri, 2005-07-29 at 18:57 -0500, J.A. Terranson wrote:
> They fucked up.  They'll have to fix it then.  But thats not the same
as
> the gross negligence they're being accused of.

I'm not sure that can fix that. Unless they add canaries to the stack
and include other OpenBSD style W^X type checks. I mean, it's the same
problem any OS that uses stacks faces. It's just that we now begin to
see how things are laid out in IOS and gain information about its
routines, how it works, and how to bypass watchdogs and such.

Cisco just has to be more careful with vulnerabilities now since they
can be exploited better :)

Cheers,
Frank


-- 
Shame on Cisco. Double-Shame on ISS.



signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

On Fri, 29 Jul 2005, Jason Coombs wrote:

> Frank Knobbe wrote:
> > What he has done is not say "Here's a bug that I can exploit". He has
> > said "This IOS is capable of exploitation beyond current belief". And it
> > will be for the foreseeable future.
>
>
> Precisely. And Lynn pointed out that Cisco routers use general purpose
> CPUs -- therefore Cisco's own engineers chose purposefully to build a
> vulnerable device.
>
> Cisco is responsible for this entire mess. Had they engineered a secure
> product around a CPU that was not general purpose, none of this would be

Jason, I both like and respect you, but you are wrong here.  You just flat
out don't know what you're talking about.

This has nothing to do with the choice of "a general purpose CPU", it is a
result of a specific architecture within the CPU chosen.  There is a real
difference here.

You're talking like this was a negligent choice made in total disregard of
known facts by Cisco, and that just isn't so.  And deep down, you *know*
that's true too (although it removes your premise and robs you of some
wonderful /rants).  Sure, Cisco chose a poor architecture, and we know
that today.  That doesn't mean that this was understood in the setting
under which the decisions were made.  This goes back a lngg
way.  The fact is, IOS is pretty well put together, and considering it's
running on an obviously deficient platform and has withstood all comers up
to now is pretty amazing.

They fucked up.  They'll have to fix it then.  But thats not the same as
the gross negligence they're being accused of.

 I am not a Cisco fan, and Jason can attest to that.
Also, I own no stock or have any other interest in Cisco.


-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J. Oquendo]

Correct me if I'm wrong, obviously I wasn't at the presentation, but
Lynns' assertion of an attack (uploading and running things via the
router) is no different from a POC tool released a few years back called
Ultima Ratio http://www.phenoelit.de/ultimaratio/UltimaRatioVegas.c
probably just modified code from what I gather on what I've read thusfar.
Anyhow, as for Cisco's DJ's spinning "it's only an IPv6 thing you can all
go home now...", isn't it humorous to see that IPv6 is supposed to be
"that much more secure". Obviously I wouldn't believe Cisco when they
state its IPv6 based only don't get me wrong, it's funny to see spin.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

To conquer the enemy without resorting to war is the most
desirable.  The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005 [EMAIL PROTECTED] wrote:

> On Fri, 29 Jul 2005 16:38:26 CDT, Ron DuFresne said:
>
> > being that we'll all be retired and all this equipment replaced by the
> > time IPv6 becomes standard the threat is not as great then as it was first
> > made out to be then, correct?
>
> Part of the problem is that IOS includes IPv6 support by default.
>
> How many sites that don't do IPv6 didn't do a 'no ipv6 enable' and 'no ipv6
> address' on *every* interface?
>

IPv6 has been hyped as the security shim of all shims for tcp/IP.  Even
able to cure the common cold, if implimented prior to mass
rollout/acceptance.  Which is why we are seeing many security admins on
various platforms not paying attention to security 101 tenants, if it's
not needed disable/remove it.

I'm gessing now that many in the *nix as well as router realms will now
pay a tad more heed to the basics?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 16:38:26 CDT, Ron DuFresne said:

> being that we'll all be retired and all this equipment replaced by the
> time IPv6 becomes standard the threat is not as great then as it was first
> made out to be then, correct?

Part of the problem is that IOS includes IPv6 support by default.

How many sites that don't do IPv6 didn't do a 'no ipv6 enable' and 'no ipv6
address' on *every* interface?


pgpzrmY0M99n6.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 23:17:48 +0200, Jochen Kaiser said:

> maybe I am wrong, but with high end switchrouter I thought that routing 
> protocols are handled by IOS by the cpu - after calculated, the topology 
> is programmed in e.g. TCAM memory.

That's the *point* - the CPU is what's vulnerable here.  A suggestion was made 
to
replace the CPU with an ASIC or FPGA.  I pointed out that if you did that, then
the ASIC would have to do BGP4, because otherwise there'd not be a routing table
loaded in the TCAM memory for the line cards to use



pgpE3P5h3Mtt3.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Andrew R. Reiter]

You shall be corrected.

On Fri, 29 Jul 2005, J. Oquendo wrote:

:
:
:Correct me if I'm wrong, obviously I wasn't at the presentation, but
:Lynns' assertion of an attack (uploading and running things via the
:router) is no different from a POC tool released a few years back called
:Ultima Ratio http://www.phenoelit.de/ultimaratio/UltimaRatioVegas.c
:probably just modified code from what I gather on what I've read thusfar.
:Anyhow, as for Cisco's DJ's spinning "it's only an IPv6 thing you can all
:go home now...", isn't it humorous to see that IPv6 is supposed to be
:"that much more secure". Obviously I wouldn't believe Cisco when they
:state its IPv6 based only don't get me wrong, it's funny to see spin.
:
:
:
:=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:J. Oquendo
:GPG Key ID 0x97B43D89
:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
:
:To conquer the enemy without resorting to war is the most
:desirable.  The highest form of generalship is to conquer
:the enemy by strategy." - Sun Tzu
:___
:Full-Disclosure - We believe in it.
:Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:Hosted and sponsored by Secunia - http://secunia.com/
:
:

--
Andrew R. Reiter
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J. Oquendo]

Correct me if I'm wrong, obviously I wasn't at the presentation, but
Lynns' assertion of an attack (uploading and running things via the
router) is no different from a POC tool released a few years back called
Ultima Ratio http://www.phenoelit.de/ultimaratio/UltimaRatioVegas.c
probably just modified code from what I gather on what I've read thusfar.
Anyhow, as for Cisco's DJ's spinning "it's only an IPv6 thing you can all
go home now...", isn't it humorous to see that IPv6 is supposed to be
"that much more secure". Obviously I wouldn't believe Cisco when they
state its IPv6 based only don't get me wrong, it's funny to see spin.



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

To conquer the enemy without resorting to war is the most
desirable.  The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Rachael Gomes]

On Fri, Jul 29, 2005 at 08:07:20AM -0700, Larry Blumenthal said something to 
the effect of:

> Information wants to be free.
>
> Time to free it!

Okay!! you first!

Settle down, Cowboy.  Speak for yourself.  ;)
>
> Fuck Cisco!

Repeat previous comment.  :D

yPIImv,
--ra

> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 

> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
rachael treu-gomes[EMAIL PROTECTED]
   ..quis custodiet ipsos custodes?..

(this email has been brought to you by the letters 'v' and 'i'.)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, Jason Coombs wrote:

> Madison, Marc wrote:
> >  Am I missing something here, because it seems that two vulnerabilities
> > are being discussed, one is the IPv6 DOS
> > http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
> > the other is Lynn presentation on shellcode execution via the IOS?
>
> Did you read the advisory? It is not solely a DoS threat.
>
> "Cisco Internetwork Operating System (IOS ) Software is vulnerable to a
> Denial of Service (DoS) and potentially an arbitrary code execution
> attack from a specifically crafted IPv6 packet."

being that we'll all be retired and all this equipment replaced by the
time IPv6 becomes standard the threat is not as great then as it was first
made out to be then, correct?





Thanks,

Ron DuFresne


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Madison, Marc wrote:

 Am I missing something here, because it seems that two vulnerabilities
are being discussed, one is the IPv6 DOS
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
the other is Lynn presentation on shellcode execution via the IOS?


Did you read the advisory? It is not solely a DoS threat.

"Cisco Internetwork Operating System (IOS ) Software is vulnerable to a 
Denial of Service (DoS) and potentially an arbitrary code execution 
attack from a specifically crafted IPv6 packet."

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, KF (lists) wrote:

> Trying to Stifle information is a real dickhead thing to do also...
>
> I'm just waiting for someone to toss the DMCA into all of this. =]


CERT and DHS are bigger cards in the game then DMCA.


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:

> That was a real dickhead thing to do.  The guy that wrote that made an
> agreement with Cisco of his own free will.  Who do you think you are
> to go against an agreement he made, with his own information?
>
> I sincerely hope it bites you in the arse.
>

Was it free will, or the threat of jail and other difficulties?

Afterall, employment was not a show stopper for him, he quit to release
his findings and gain glory in the crowds at hacker fests.  so was it
really free will I ask again?

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jochen Kaiser]

On Fri, Jul 29, 2005 at 05:10:12PM -0400, [EMAIL PROTECTED] wrote:
> On Fri, 29 Jul 2005 15:33:19 CDT, Randall Perry said:
> 
> > Even for producing less than 500 units there are vendors ready to jump at 
> > the
> > chance to replace FPGA setups (because we are talking about complex 2k+ 
> > gate count).
> 
> More like 2M+ gate count.  Remember, you have to do BGP4 in silicon. ;)
> 

maybe I am wrong, but with high end switchrouter I thought that routing 
protocols are handled by IOS by the cpu - after calculated, the topology 
is programmed in e.g. TCAM memory.

imho no fpgas here.
please correct me.

greets
jk

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 15:33:19 CDT, Randall Perry said:

> Even for producing less than 500 units there are vendors ready to jump at the
> chance to replace FPGA setups (because we are talking about complex 2k+ gate 
> count).

More like 2M+ gate count.  Remember, you have to do BGP4 in silicon. ;)

> Just give Oxford Semiconductor or AMI a call.

I don't think Oxford Semiconductor would be able to deal - looks like they're
mostly in the FireWire/USB arena.  AMI has a 2M gate part, but it has a top
clock speed of 100Mhz 
(http://www.amis.com/asics/structured_asics/XPressArray.html),
which would be borderline in the high-end routers



pgpeaudpK2JN1.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason]

Second, the exploit is limited to local network segment, except it seems to
me a worm that spreads from router to router could spread via the local
network since a local network segment is usually defined as the wire between
two routers.. Infection would spread from one router to it's peers, to those
peers, etc. (please correct me if I'm wrong)


The different local segments are rarely connected via like routers with 
like images. You might get several local segments but then you have the 
edges which are almost always a different model.


Today it is unlikely that the ipv6 issue could cause wide spread outage 
since it cannot traverse routers. There may very well be other issues 
discovered that can traverse routers but they are still unlikely to be 
successful as a self propagating worm in large scale.


It is likely very feasible to infect like systems and even potentially 
several different systems with a worm but the overhead and timings 
involved push that reality out a little bit on the threat time line. A 
nation might have done this work already but I am doubtful they would 
release it without good cause.


The risk goes up significantly when Cisco moves to a virtualized process 
space since become very likely.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Randall Perry]

Quoting [EMAIL PROTECTED]:
 
> Your only perfect defense here is implementing all of it in a custom ASIC,
> which in itself is insane - if a logic or timing bug is found, you're
> looking at having to do a hardware replacement rather than just downloading
> a new software load.  You can cut some of the pain with an FPGA, but that's 
> still a whole different league than a software solution.
System-on-a-chip design can be very cost effective when used on a massive scale.
 (just look at 3M cards from Newcomm used in the [formerly] Hughes satellite
network).

when embedded into a familiar form-factor (like a credit card or smart card),
replacements for updates is easy.  Thousands upon thousands of users performing
user-friendly updates with a simple card swap.

Even for producing less than 500 units there are vendors ready to jump at the
chance to replace FPGA setups (because we are talking about complex 2k+ gate 
count).

Unlike PC's, the design wouldn't have to be retooled with every lunar cycle.
Maybe once every 6 months or a year.  

Just give Oxford Semiconductor or AMI a call.
> You think debugging a BGP wedgie(*) is tough now, remember that even IOS is
> able to do a small amount of introspection and tell you what's going on.
Is that what you call what you do to someone who provides 'fault tolerance'
through round-robin DNS? A bgp wedgie? 

> almost impossible with an ASIC or FPGA based solution...
> 
> (*) Yes, it's really called that.  Google for 'BGP Wedgie' if you don't
> believe me. :)
Ah, flashbacks of highschool. 

-RandallP
   \|/
/\- O -
\  /__\/\  /|\  /
 \/\/\/  \_/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[John Kinsella]

Lynn's is not a vulnerability per-se, in my mind, but a way to take a
vulnerability and turn it into Something Useful.

John

On Fri, Jul 29, 2005 at 03:02:38PM -0500, Madison, Marc wrote:
>  Am I missing something here, because it seems that two vulnerabilities
> are being discussed, one is the IPv6 DOS
> http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
> the other is Lynn presentation on shellcode execution via the IOS?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Geo.
> Sent: Friday, July 29, 2005 2:57 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] Cisco IOS Shellcode Presentation
> 
> >>Read the advisory a bit closer. Here the relevant lines:
> "Products that are not running Cisco IOS are not affected.
> Products running any version of Cisco IOS that do not have IPv6
> configured interfaces are not vulnerable."
> 
> Yes, IOS versions that have the fix, or that don't even run IPv6 are not
> *vulnerable*. But all IOS versions are *affected* by the *mechanism* he
> described. <<
> 
> It's acutally a bit worse than that, IPv6 is enabled on all interfaces,
> you have to execute "no ipv6 enable" and "no ipv6 address" command on
> each interface to disable it.
> 
> Second, the exploit is limited to local network segment, except it seems
> to me a worm that spreads from router to router could spread via the
> local network since a local network segment is usually defined as the
> wire between two routers.. Infection would spread from one router to
> it's peers, to those peers, etc. (please correct me if I'm wrong)
> 
> Geo.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Fri, Jul 29, 2005 at 04:06:58PM -0400, Tim wrote:
> However, let me ask you this (as I truly don't know):  Did Intel
> advertize to OS makers that they should never allow two processes of
> different access rights to use the two virtual CPUs at the same time?
> If it wasn't documented, then it surely was their fault.  If it was
> documented, then it really does cut down on the benefit of the feature.

If this is the hyperthreading cache timing thing:

http://www.daemonology.net/hyperthreading-considered-harmful/

it's not nearly so simple as one thread stealing from the cache of
another: there is no data sharing going on. Instead, one thread can get
some vague hints about what's in the other guy's cache by watching the
timing of his *own* cache.

It's a bit of *outstanding* technical work, but I think it has really
limited impact in the real world. Even in carefully controlled conditions
it's going to be difficult to make this work, and I think that on a busy
server it's going to be nearly impossible to even know at the instruction
level which other process is running on the other thread.  (by the time
you figure out that openssh has been scheduled, it's too late).

Unless I hear a lot more about this than I've seen so far, I would not
give this matter a thought.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Tim]

> :Intel screwed up their design of hyperthreading with caches, and as a
> :result, local users can steal data from one another.
> 
> Intel did?  How's that?  This cache issue has been a problem before at 
> different levels.  You're stating that it's the CPU's job to determine 
> scheduling of what threads are running on the HTT enabled CPU.  Do you 
> want another cache for each 'virtual' cpu?  Sounds like you might just 
> want to go the next step and do a true MP system instead of virtual :).  
> I'd blame the OS scheduler before Intel with regards to this cache issue.

I admit I am not expert on this issue.  I merely brought it up to
illustrate a point.

However, let me ask you this (as I truly don't know):  Did Intel
advertize to OS makers that they should never allow two processes of
different access rights to use the two virtual CPUs at the same time?
If it wasn't documented, then it surely was their fault.  If it was
documented, then it really does cut down on the benefit of the feature.

tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[Madison, Marc]

 Am I missing something here, because it seems that two vulnerabilities
are being discussed, one is the IPv6 DOS
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
the other is Lynn presentation on shellcode execution via the IOS?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Geo.
Sent: Friday, July 29, 2005 2:57 PM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Cisco IOS Shellcode Presentation

>>Read the advisory a bit closer. Here the relevant lines:
"Products that are not running Cisco IOS are not affected.
Products running any version of Cisco IOS that do not have IPv6
configured interfaces are not vulnerable."

Yes, IOS versions that have the fix, or that don't even run IPv6 are not
*vulnerable*. But all IOS versions are *affected* by the *mechanism* he
described. <<

It's acutally a bit worse than that, IPv6 is enabled on all interfaces,
you have to execute "no ipv6 enable" and "no ipv6 address" command on
each interface to disable it.

Second, the exploit is limited to local network segment, except it seems
to me a worm that spreads from router to router could spread via the
local network since a local network segment is usually defined as the
wire between two routers.. Infection would spread from one router to
it's peers, to those peers, etc. (please correct me if I'm wrong)

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Andrew R. Reiter]

On Fri, 29 Jul 2005, Tim wrote:

:> How about adopting an architecture that incorporates special-purpose 
:> security safeguards into the CPU? Routers and switches don't need to 
:> execute arbitrary code, Cisco knows ahead of time, before they deploy a 
:> product, what code that product should be allowed to execute.
:> 
:> Do you think there is no way in hardware to limit the code that gets 
:> executed? Maybe you should join the FBI.
:
:Hardware has bugs too.
:
:Arbitrary code execution isn't too hard on the XBox, for instance, even
:with complex crypto checks.
:
:Intel screwed up their design of hyperthreading with caches, and as a
:result, local users can steal data from one another.

Intel did?  How's that?  This cache issue has been a problem before at 
different levels.  You're stating that it's the CPU's job to determine 
scheduling of what threads are running on the HTT enabled CPU.  Do you 
want another cache for each 'virtual' cpu?  Sounds like you might just 
want to go the next step and do a true MP system instead of virtual :).  
I'd blame the OS scheduler before Intel with regards to this cache issue.



:
:I think your broad suggestion is flawed.  Perhaps the only reason we
:*don't* see as many hardware-based bugs, is that when you are getting
:ready to put something in hardware, you are generally more interested in
:getting it right the first time, given the production costs.  The 
:problem is, the mode of failure is astronmically worse, as you can't
:easily patch any problems that do crop up.

I agree and disagree, I think if there were folks (kiddies) out there who 
could understand hardware design in & out's like they do PHP scripting, 
you'd find that there might be more bugs published in that arena.  
However, your point regarding "getting it right" is a good one... cost is 
key when doing hardware, so ensuring things are done "right" in the 
beginning is key.


:
:On another note:
:The unfortunately common misconception that 'appliances' are safe
:because they are "hardware devices" really needs to go.  Everything is a
:combination of hardware and software, and that's how it should be, from
:an engineering perspective.  
:
:>From a security perspective, software should be viewed as a living thing
:that constantly needs feeding, whether it is on a funny-looking
:rackmount proprietary computer, in your mobile phone, or on your
:desktop.
:
:tim
:___
:Full-Disclosure - We believe in it.
:Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:Hosted and sponsored by Secunia - http://secunia.com/
:
:

--
Andrew R. Reiter
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[Geo.]

>>Read the advisory a bit closer. Here the relevant lines:
"Products that are not running Cisco IOS are not affected.
Products running any version of Cisco IOS that do not have IPv6
configured interfaces are not vulnerable."

Yes, IOS versions that have the fix, or that don't even run IPv6 are not
*vulnerable*. But all IOS versions are *affected* by the *mechanism* he
described. <<

It's acutally a bit worse than that, IPv6 is enabled on all interfaces, you
have to execute "no ipv6 enable" and "no ipv6 address" command on each
interface to disable it.

Second, the exploit is limited to local network segment, except it seems to
me a worm that spreads from router to router could spread via the local
network since a local network segment is usually defined as the wire between
two routers.. Infection would spread from one router to it's peers, to those
peers, etc. (please correct me if I'm wrong)

Geo.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Tim]

> How about adopting an architecture that incorporates special-purpose 
> security safeguards into the CPU? Routers and switches don't need to 
> execute arbitrary code, Cisco knows ahead of time, before they deploy a 
> product, what code that product should be allowed to execute.
> 
> Do you think there is no way in hardware to limit the code that gets 
> executed? Maybe you should join the FBI.

Hardware has bugs too.

Arbitrary code execution isn't too hard on the XBox, for instance, even
with complex crypto checks.

Intel screwed up their design of hyperthreading with caches, and as a
result, local users can steal data from one another.

I think your broad suggestion is flawed.  Perhaps the only reason we
*don't* see as many hardware-based bugs, is that when you are getting
ready to put something in hardware, you are generally more interested in
getting it right the first time, given the production costs.  The 
problem is, the mode of failure is astronmically worse, as you can't
easily patch any problems that do crop up.

On another note:
The unfortunately common misconception that 'appliances' are safe
because they are "hardware devices" really needs to go.  Everything is a
combination of hardware and software, and that's how it should be, from
an engineering perspective.  

>From a security perspective, software should be viewed as a living thing
that constantly needs feeding, whether it is on a funny-looking
rackmount proprietary computer, in your mobile phone, or on your
desktop.

tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Valdis . Kletnieks]

On Fri, 29 Jul 2005 08:29:35 -1000, Jason Coombs said:

> Precisely. And Lynn pointed out that Cisco routers use general purpose 
> CPUs -- therefore Cisco's own engineers chose purposefully to build a 
> vulnerable device.

All von Neumann architecture processors are equally vulnerable in theory. About
all you can do is fix the boot loader and early kernel code to emulate a
Harvard architecture (basically, 2 separate memory spaces, one for instructions
and one for code, and never the twain shall meet).  At that point, things are a
little better.

However, both von Neumann and Harvard systems are Turing-complete, and therefor
have innate theoretical limits (see the Turing Halting Problem for details, and
Fred Cohen showed over 20 years ago that the detection of malware is a
Turing-equivalent problem.

Your only perfect defense here is implementing all of it in a custom ASIC,
which in itself is insane - if a logic or timing bug is found, you're looking
at having to do a hardware replacement rather than just downloading a new
software load.  You can cut some of the pain with an FPGA, but that's still a
whole different league than a software solution.

You think debugging a BGP wedgie(*) is tough now, remember that even IOS is
able to do a small amount of introspection and tell you what's going on. That's
almost impossible with an ASIC or FPGA based solution...

(*) Yes, it's really called that.  Google for 'BGP Wedgie' if you don't believe 
me. :)


pgpgbkITL5lZO.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[Andrew R. Reiter]

On Fri, 29 Jul 2005, Eric Lauzon wrote:

: 
:So mutch fussits all so new ..
:
:
:http://www.phrack.org/phrack/56/p56-0x0a
:
:
:-elz

I don't get your point; it obviously seems you're trying to be sarcastic.

I think, if you realize what you're talking about, the point of the talk 
was the idea of reliably being able to exploit a IOS vulnerability.  
Reliably meaning having the cisco box not reboot on you (or other various 
scenarios that could occur).

Gaius has some good information there, but there's a difference between 
being on a router and plugging in backdoor code and actually being able to 
get onto the router via an exploit.

So what was the key point?  CHECK HEAPS -- the idle proc that kicks in to 
validate heap management structures.  Think about malloc() bugs (double 
free()'s and stuff) that were talked about a few years back... Those were 
easier to exploit b/c they didn't have a check heaps code that kicks in...

If you don't understand the last paragraph, then, please stop trying to 
post technical arguments on this subject.


Cheers,
Andrew
--
Andrew R. Reiter
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

How about adopting an architecture that incorporates special-purpose 
security safeguards into the CPU? Routers and switches don't need to 
execute arbitrary code, Cisco knows ahead of time, before they deploy a 
product, what code that product should be allowed to execute.


But how many times over the years has a IOS upgrade added a useful 
feature? .. securing the physical hardware to not accept new (aka: 
'arbitrary') code would make a *lot* of rack-mount paperweights.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Steve Friedl wrote:

So you're suggesting that Cisco should have adopted security by
obscurity for its hardware design?


How about adopting an architecture that incorporates special-purpose 
security safeguards into the CPU? Routers and switches don't need to 
execute arbitrary code, Cisco knows ahead of time, before they deploy a 
product, what code that product should be allowed to execute.


Do you think there is no way in hardware to limit the code that gets 
executed? Maybe you should join the FBI.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Steve Friedl]

On Fri, Jul 29, 2005 at 08:29:35AM -1000, Jason Coombs wrote:
> Cisco is responsible for this entire mess. Had they engineered a secure 
> product around a CPU that was not general purpose, none of this would be 
> happening now.

So you're suggesting that Cisco should have adopted security by
obscurity for its hardware design?

Really?

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[Eric Lauzon]

 
So mutch fussits all so new ..


http://www.phrack.org/phrack/56/p56-0x0a


-elz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

Cisco is responsible for this entire mess. Had they engineered a secure 
product around a CPU that was not general purpose, none of this would be 
happening now.


Okay .. so we write 'special purpose' shellcode then. Cisco could have 
designed the CPU as a ASIC, at the expense of being able to 
field-upgrade like they can with software -- or they could have used 
something like a FPGA to emulate an ASIC, at the expense of cost.


Everything's a trade off.

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

J.A. Terranson wrote:


Do I hear a faint echo of Adobe???



No, Lynn reportedly quit his job, so he is not going to have the "my 
company did it, so you can't prosecute me" defense...


If we assume Lynn knew about this defense given that he is quoted as 
referencing the Adobe case in his statements to the press, then Lynn 
willfully gave up that protection prior to his disclosure.


Now that is truly patriotic and brave, to sacrifice oneself in order to 
demonstrate that there are holes in the criminal justice system...


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Cisco IOS Shellcode Presentation

[srenna]

This is getting good

<---runs to get popcorn

BRING ON THE DRAMA!

>  Original Message 
> Subject: Re: [Full-disclosure] Cisco IOS Shellcode Presentation
> From: "J.A. Terranson" <[EMAIL PROTECTED]>
> Date: Fri, July 29, 2005 2:26 pm
> To: Jason Coombs <[EMAIL PROTECTED]>
> Cc: full-disclosure@lists.grok.org.uk
> 
> On Fri, 29 Jul 2005, Jason Coombs wrote:
> 
> > Likewise, anyone with information that would show that Cisco is
> > knowingly "faking it" by exaggerating their appearance as a "victim" can
> > be instrumental in having Cisco prosecuted for abuse of process, or at
> > the very least any possible criminal charges against Lynn dropped.
> 
> Do I hear a faint echo of Adobe???
> 
> -- 
> Yours,
> 
> J.A. Terranson
> [EMAIL PROTECTED]
> 0xBD4A95BF
> 
> 
> "A stock broker is someone who handles your money until its all gone."
> Diana Hubbard (of Scientology fame)
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Frank Knobbe wrote:

What he has done is not say "Here's a bug that I can exploit". He has
said "This IOS is capable of exploitation beyond current belief". And it
will be for the foreseeable future.



Precisely. And Lynn pointed out that Cisco routers use general purpose 
CPUs -- therefore Cisco's own engineers chose purposefully to build a 
vulnerable device.


Cisco is responsible for this entire mess. Had they engineered a secure 
product around a CPU that was not general purpose, none of this would be 
happening now.


No company that intentionally engineers a computing device around a 
general purpose programmable CPU should have the ability to press 
charges against security researchers who disclose security flaws in 
those devices.


Cisco is wrong to conclude that they can engineer a defective product 
and then allow the criminal prosecution of a person who simply asks the 
pointed question "Why did Cisco do this? It renders their product 
permanently defective, and here's the proof."


Somebody needs to explain this clearly to the FBI.

Cisco should be criminally prosecuted for telling lies to their 
customers and for abuse of process.


Regards,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

On Fri, 29 Jul 2005, Jason Coombs wrote:

> Likewise, anyone with information that would show that Cisco is
> knowingly "faking it" by exaggerating their appearance as a "victim" can
> be instrumental in having Cisco prosecuted for abuse of process, or at
> the very least any possible criminal charges against Lynn dropped.

Do I hear a faint echo of Adobe???

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Jason Coombs]

Michael Holstein wrote:

Secrecy and censorship are contrary to the ideals of a democratic society.


Mike,

You don't live in a democratic society. You have representatives and 
laws to make decisions and impose rules of order on others on your 
behalf. Like it or not, if the rules you allow to exist on your behalf 
get violated then there may be swift and decisive retaliation by your 
representative democratic government.


Nobody knows in this case whether the "trade secrets" allegedly "stolen" 
bring this matter into the realm of a criminal offense, or whether this 
is squarely and clearly only a civil matter. Cisco doesn't even know 
whether this is a crime, everyone is fumbling in the dark here.


Reports that the FBI are investigating are therefore believable, and 
prosecution of Lynn for criminal acts is not unlikely depending upon 
whether or not Cisco backs down from their harsh interpretation of what 
happened. In determining whether or not a crime occurred, the existence 
of an entity/person who appears to have been victimized is an important 
factor. You can help your democratic representatives do the right thing 
on your behalf by showing us all conclusive proof that Cisco was not 
victimized in any way by the actions of Lynn or by his disclosures.


Likewise, anyone with information that would show that Cisco is 
knowingly "faking it" by exaggerating their appearance as a "victim" can 
be instrumental in having Cisco prosecuted for abuse of process, or at 
the very least any possible criminal charges against Lynn dropped.


Sincerely,

Jason Coombs
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Frank Knobbe]

On Fri, 2005-07-29 at 13:52 -0400, Micheal Espinola Jr wrote:
> Especially considering that the latest versions of the IOS are not
> vulnerable.

Read the advisory a bit closer. Here the relevant lines:
"Products that are not running Cisco IOS are not affected.
Products running any version of Cisco IOS that do not have IPv6
configured interfaces are not vulnerable."

Yes, IOS versions that have the fix, or that don't even run IPv6 are not
*vulnerable*. But all IOS versions are *affected* by the *mechanism* he
described. 

That means that the once thought-to-be-invulnerable boxes running IOS
are in fact as vulnerable as a Windows boxes. Once you get process
control, you can do whatever you like. (What is TCB anyway? Certainly
not Trusted Computing Base :)
All it takes is another vulnerability, another buffer/heap overflow, and
you can use the discussed mechanism to again make the router do your
bidding.

What he has done is not say "Here's a bug that I can exploit". He has
said "This IOS is capable of exploitation beyond current belief". And it
will be for the foreseeable future.

So if there is another bug report for an issue in IOS, don't think it
can be abused to spawn a reverse shell. He just told you to treat Cisco
vulnerabilities with the same respect as Windows vulnerabilities. When
you see another bug report, you might want to patch your routers a bit
faster.

Cheers,
Frank



signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

There was no added benefit to the public by posting that slideshow.  
Especially considering that the latest versions of the IOS are not

vulnerable.


Then what's the harm in it?

As a general rule, anything the government (or industry) doesn't want us 
to see, is something we should *definitely* go have a look at.


Secrecy and censorship are contrary to the ideals of a democratic society.

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

It was done of his own free will.  Have you heard/read his public
statement about it?

"I think I did the right thing. It was pretty scary, but the real
important thing was there was the potential of serious problem," Lynn
said. "I did not think the nation's interest was served by waiting
another year when a router worm would be a serious threat."

[...]

"I gave maybe 5 percent of the information required to actually do
what I did," he said. "The first guy who did it is sort of in some way
responsible for all the other people who do it."

There was no added benefit to the public by posting that slideshow.  
Especially considering that the latest versions of the IOS are not
vulnerable.

In this case Larry has taken someone's free will and intellectual
rights, and brushed them asside for his own cause to say "fuck cisco".

Good job.


On 7/29/05, KF (lists) <[EMAIL PROTECTED]> wrote:
> Trying to Stifle information is a real dickhead thing to do also...
> 
> I'm just waiting for someone to toss the DMCA into all of this. =]
> 
> -KF
> 
> Micheal Espinola Jr wrote:
> 
> >That was a real dickhead thing to do.  The guy that wrote that made an
> >agreement with Cisco of his own free will.  Who do you think you are
> >to go against an agreement he made, with his own information?
> >
> >I sincerely hope it bites you in the arse.
> >
> >
> >On 7/29/05, Larry Blumenthal <[EMAIL PROTECTED]> wrote:
> >
> >
> >>Information wants to be free.
> >>
> >>Time to free it!
> >>
> >>Fuck Cisco!
> >>
> >>__
> >>Do You Yahoo!?
> >>Tired of spam?  Yahoo! Mail has the best spam protection around
> >>http://mail.yahoo.com
> >>
> >>___
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Michael Holstein]

Trying to Stifle information is a real dickhead thing to do also...


Well said.

Now all of us that have Ciscoworks (and it's version management which 
will keep old IOS images lying around) can go about reproducing Lynn's work.


Godspeed to all of you lucky enough to live in a country where you're 
free to publish your research (eg: !usa).


While we all await the inevitable release of a POC, perhaps we should go 
purchase stamps so we can still send email?


~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 19:40 29/07/05, KF (lists) wrote:

Trying to Stifle information is a real dickhead thing to do also...


Totally right :) 
-BEGIN PGP SIGNATURE-

Version: GnuPG v1.4.2rc2 (MingW32)

iQIVAwUBQupoL6+LRXunxpxfAQL4BRAAxEDWUgUH6/Ah1ql/vcN7mdmWq1DdABfb
qE7ZbPrTB7bHqAfjFnxHte+IXA9+Aonbz0Vg8HokxwloeTpLf5bDVBt6Wf29nvXs
CjbPznm0lcZGGNKcic+ufCaSmzGnIAmXY6TKw+wn9MzIzhyLTL1ywumlO0+4UoaH
W3yO942su9O7J70FldKBMwcCAzU3bSbKPGD1EgMnGPUcvXnMZrwXIgtnNHDh+Ai/
jMuRlC2If8jIiDVEjcD+grN/2mZrgWfs45Lcd2sgnZEgf12YYIdyANVXlVBzgi/z
onj2iXiJC/wBUIfQ/jStd1OnKFwSPkiGsbI1x3ML3h1prfmi1IUYJwwvN7KZn8v7
yZF0d+WgRs7FM4V/EfVRRybNZS1zVZ+9etDEm6ee3R/vA5NNcHysoJETT0qW/lHx
6NPrpENCOLcp+1vOA+kDMbrOZtBSxaE+8OVW6faJCk3TjnF4/EM/OlV3BjxSy+c1
hUF7dpXGdk5W5cn+hPNJnfT25JhklTfqKBvtmpN9IBpCBu0hkeGPUUPxdd/3uMd3
ZDERWEQcDtgybkNDPgfBhU3SJhrEXqy1O1mJG0UBAuysKWw0BCggBLGXncFykcCN
fUu0WEAPLaiyXtCLbXM7VcA8SiTL5IGlaZW/qAHu/2gr1k5gZJGChPvUOmffOc78
PSCwE3CQEzk=
=0ana
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[KF (lists)]

Trying to Stifle information is a real dickhead thing to do also...

I'm just waiting for someone to toss the DMCA into all of this. =]

-KF

Micheal Espinola Jr wrote:


That was a real dickhead thing to do.  The guy that wrote that made an
agreement with Cisco of his own free will.  Who do you think you are
to go against an agreement he made, with his own information?

I sincerely hope it bites you in the arse.


On 7/29/05, Larry Blumenthal <[EMAIL PROTECTED]> wrote:
 


Information wants to be free.

Time to free it!

Fuck Cisco!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



   




 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Micheal Espinola Jr]

That was a real dickhead thing to do.  The guy that wrote that made an
agreement with Cisco of his own free will.  Who do you think you are
to go against an agreement he made, with his own information?

I sincerely hope it bites you in the arse.


On 7/29/05, Larry Blumenthal <[EMAIL PROTECTED]> wrote:
> Information wants to be free.
> 
> Time to free it!
> 
> Fuck Cisco!
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 


-- 
ME2  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[J.A. Terranson]

Disingenuous.

On Sat, 30 Jul 2005, Nick FitzGerald wrote:

> Date: Sat, 30 Jul 2005 03:37:00 +1200
> From: Nick FitzGerald <[EMAIL PROTECTED]>
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Cisco IOS Shellcode Presentation
>
> Larry Blumenthal wrote:
>
> > Information wants to be free.
> >
> > Time to free it!
>
> So next you'll be posting your full name, address, SSN, MMN, CC #, bank
> account details, etc??
>
> H -- thought not...
>
>
> Regards,
>
> Nick FitzGerald
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF


"A stock broker is someone who handles your money until its all gone."
Diana Hubbard (of Scientology fame)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Nick FitzGerald]

Larry Blumenthal wrote:

> Information wants to be free. 
> 
> Time to free it! 

So next you'll be posting your full name, address, SSN, MMN, CC #, bank 
account details, etc??

H -- thought not...


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/