Well, sadly the time seemed to fly by and last week's conference ended more quickly than I would have liked. I didn't have the time to stay in Vegas and attend the DEFCON conference either. Even though I really wanted to see Christopher Tarnovsky demonstrate smartcard/microcontroller fault induction in person, I decided to attend briefings that greatly complemented the briefings that I attended previously. Particularly, I enjoyed Felix Lindners ("FX") briefing entitled “Developments in Cisco IOS Forensics”, which actually did a lot to ease my previous fears that the defensive side of the arms race for Cisco IOS was being left behind.
Felix began his talk by explaining the impact of successful exploitation of Cisco IOS vulnerabilities, providing some details about Cisco IOS internals, and then explaining why the flat memory format is so dangerous. For example, even the smallest memory corruption bug could potentially be leveraged to overwrite critical structures anywhere in memory. “Just how often are routers hacked?” was covered with some very interesting points, such as the threat of TCL backdoors and patched IOS firmware. He also brought up an example of an old vulnerability that continues to see exploitation, namely, the old HTTP level 16 bug that is still being exploited in the wild, as well as the new SNMP HMAC issue. So, routers are being targeted in the wild and I believe this will only get more common, especially as other targets become increasingly difficult to exploit. A path of least resistance, if you will.
In his presentation, FX also covered how the Cisco IOS router is a volatile memory system. From a forensics perspective, this makes it very difficult to find any evidence of an attack after the system reboots. How does an administrator tell the difference between a “normal” router reboot and a reboot that is the result of an exploit attempt? The talk evolved into a compelling discussion about Cisco IOS crash-dump functionality and how it can be used for the purposes of forensics without impacting the performance of the router. Postmortem analysis of a crash dump file that is far too in-depth for the scope of this blog entry was covered in detail. This research is exciting. The Cisco Crash Dump analysis tool dubbed “CIR” (which FX says is a work-in-progress) is available as an online service for free. For those paranoid about uploading their crash dumps to a third party, it is my belief that a professional standalone version of the tool will be made available by Recurity labs. (But, I could be wrong about this—it would be best to contact Recurity Labs for more information.)
I can’t end this blog without mentioning two of the other high points of my day. The talk given by Ben Hawkes named “Attacking the Vista Heap” was excellent. The talk came to the conclusion that heap exploitation is no longer generic; instead, it is now application-specific, requiring certain conditions to leverage corruption into code execution. However, lots of interesting techniques were divulged. I followed up his briefing by attending the Alexander Sotirov and Mark Dowds briefing on “How to Impress Girls with Browser Memory Protection Bypasses.” Wrapped in droll comedy, this briefing was fantastic. It started out with a demonstration of an exploit achieving code execution on Windows Vista with GS, SafeSEH, DEP, and ASLR enabled. Really, it is far too detailed to cover here along with the Cisco IOS forensics talk. I don’t feel that I’m doing the talks any justice in my attempts to describe them, so I'd say that it’s best to go explore the Recurity CIR wiki for more complete information on this research and to read the “How To Impress Girls With Browser Memory Protection Bypasses” paper and code. GS, SafeSEH, DEP, and ASLR — all defeated in a client-side exploit. Why are you still reading this? Go read the paper!