This interview with FX discusses Cisco IOS exploitation, Michael Lynn's work, and what FX believes can be done when hacking IOS.
I'm just a random hacker from Germany, part of Phenoelit and interested in all kinds of protocols, devices, platforms and attacks. Among these happen to be a few Cisco products, which is probably why I write this.
Did you know Michael Lynn before the Cisco stuff became public?
Michael sent me the link to the BlackHat schedule where his talk was announced and asked me if I would be in Vegas (which I wasn't). That's all.
What is your opinion on Lynn's work with exploiting IOS? Is it something really new and hot?
I didn't see his talk personally (see above). For this particular bug, he apparently found an elegant way to not guess as many pointers as I did before when doing heap exploits on IOS. He also managed to get a VTY (non-Cisco people call it [a] shell), which is pretty cool. I would say it's an evolutionary step based on previous work, which it always is, even if people claim they invented something completely new. I have been waiting years for people to pick up the IOS hacking where others and myself left it, and I'm happy it finally happened.
When did you complete your first IOS exploit?
End of 2001.
Do you think other people were already exploiting IOS before you?
There have been non-code-exec bugs before, which is always a more reliable way of getting into a device, for example the HTTP exec level bug. But I'm sure that people executed code on IOS before my work. It would be arrogant to believe I was the first to do it.
Did you find any particular tip for exploit development in the uncensored version of Lynn's slides?
Yes and no. The addresses don't get you anything with over 10000 different IOS builds out there. The idea of finding the "I'm already crashing" flag is pretty nice.
So do you think that all the Cisco pressure on removing those assembly code snippets was unmotivated?
Yes, from a technical point of view. Which NDAs/Licenses/DMCAs were broken due to the code snippets on the slides is beyond my knowledge.
I think it's funny because you had a working exploit in 2001, and nearly 4 years later someone (Lynn) got something similar. But thanks to someone (Cisco) that chose to sue him, there was a big buzz, and all the people suddenly discovered that, "wow, IOS is exploitable, yes, you can get a shell there too". Now a lot of people want to be the first to reach the goal: make public some working shellcode.
Really? They should come out and talk to me. I'm not participating in this race, so if someone wants to discuss their shellcode techniques, drop me a mail. Unfortunately, I suspect it will take more time to solve the interesting problems with the code than the hype would fuel most people's motivation. What would be needed is an equivalent of the kernel32-base shell codes on Windows, which can certainly be done on IOS, but is probably harder to do. There is no prior VX research to build on. If there would be a good way to identify the image base in [the] shell code, you could parse the ELF headers from there and may find the functions you are looking for. But I guess this goes a bit far for an interview.