Bestand wählen
Merken

1-day exploit development for Cisco IOS

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
what
is it and that a lot but alright well mn next
lecture here is is some for mark
am the next to the fact that the seller that how we ice pellets writing it had earning nice amount of money probably at the and the latter is quite to known in the world as a spare skier and and from that point on the use not just looking in this lecture to add exploits the development for a Cisco stuff we all suffered from this last year or all heard about it and you know the impacts maybe but he's going to explain as the work he did on that fields um so please can I ask you all warm welcoming applause for i temple diving gold do you have and but they did say that please give a warm applause and thought and all everyone has so cited to finally be able to tankers tradition Congress very happy to see all of so without further ado a jump into some practical exploitation so um keywords words
about myself from another awesome and I do stuff mostly security related stuff but mostly my areas of expertise are penetration tests both internal external else to do research in my free time and the above bound here and there and this stock is actually kind of of consideration of my part of this summer at DEF CON mouse's Cisco catalyst exploitation so for those of you who are out of context let's recap what happened earlier this
year so of you 2017 How was region of all abilities for Cisco IOS power devices so we had at least 3 major advisories for Cisco IOS their represented 3 remote codification wanted so the 1st 1 is a 1 in cluster man a protocol which resulted in on of educated and locals accused coders ecution vital that the quantity and the overflow and ideas to be on the market institutions I'm this lecture me I'm gonna be talking about 2 of those for abilities because you should be our our C. is a yet to be researched so hopefully by the end of this talk I'm going to be able to show you alive demo off for exploiting the SNP services Cisco IOS so on the 1st what happened earlier so on March
26 so 2017 our had major advisory from Cisco there I'm announcing that hundreds of miles of difference which is a vulnerable to remarketers controllability no public code and no public exploit was available and I know it's
quotation in the wild so was critical and the main points of the vulnerability of
how were as follows so that Cisco switches demic clustered them and there is a of course the management particle built on top of stellar and not this 1 really is the result of actually 2 errors a logic error and by binary error so and the talent options on how to get parts regardless of whether there's switches in cluster mode or not and the incorrect and processing of this cluster management particle options resul and awful the so what is interesting about this for ability that actually the source of all free surfaces go guys was another internal research but the will 7 leak that happened them in March of this year so mn many hacking techniques and tools were released to public by WikiLeaks and among many vendors that were effective that was Cisco Systems so basically on exceptional for the
Advisory could you could go to WikiLeaks and read about this the potential exploitation technique for Cisco catalyst so basically this were notes of an engineer who was testing the actual expert on there were no acts exploi actually exploits in the lake so basically this worked as follows the words so 2 modes of interaction so for example and as I could connect to the of overflow the services and be presented with the Brewers 15 show the other mode of the operation was that it is to set up for all the subsequent connect connections to the Talmud and there will be tradition without credentials so I we
discover this exploitation of full research was present are presented at DEF CON 25 was targeting Cisco catalyst to a 26 50 60 as the targets which and also ascribe pop from exploitation and the way you can about I you can look
at my my blog post about exploiting this service and also the purple because of exploitation on Monday page but today
want talk about something else about another vulnerability there was announced on this year about as an MP raw code execution so the actual motivation
behind this research was that so I was conducting external dentist and it was revealed and and maps can reveal their asses Kuroda with the default community of us string was available so the goal was to I get access to the neural network so the
actual advisor said that the attacker the and needs a read only come into to string together remote code execution on the device and the docket broader was 20 100
integrated services crowded which is a very common device on the network on so the technical specs for it is a so it has a emits big-endian
architecture and you don't have any client of debugging tools for it's available and it's interesting that sense that that's fair where is relatively new for this crowded and it might be interesting to look at the defensive and exploit prevention mechanism on employed and by Cisco IOS when I say relatively news that the interesting thing is that this device is actually an of support it's not supported so the last batch for it was came out at the 1016 and to remind you the Advisory for as impure flow appearing in 2017 in June thousand but nonetheless but this is
still a widely used device if you the search for as in the banner on short and you will find at least 3 thousand a devices with as in the service of available with the full public strength so these devices are all the supposedly or vulnerable to as an MP overflow and the question is whether we can build a remote
ecution expert for it so since we're going to be exploiting as we protocol it's made agree Greek recap of of how works just like touch so as an MBA comes
with several abbreviations like MIB which stands for management information base and his the gonna work collection of objects that can be monitored from the SNP manager and so Management Information Bases actually consists of object identifiers and as an example you all know that our printers all are usually use as an MP for example if there is a certain level of thinking in the cartridge you can query the and service on this device of for the percentage of ink left so that's kind of example how works I management
information on the basis hell looks like a tree so we have your base element at the top and you leave elements so all these elements represent an object 2nd could be correct the
we're going to look at at to get request and that is why I the Advisory states that for the border ability to be triggered you only have to know that we only come into strength so it's a relatively the simple protocol we just supplied the object identifier identifier your aquarium and you get back the results OK here for example get on the rotor version the description field and you can also have to do
this with a readily available Linux still was like as and began so before I
well I will build an exploration I we have a starting point so how do we look for for the crash so the Advisory actually states that there are 9 different of honorable Management Information Bases and you'll have to all that we only common to shrink several what for the
forcing it to be done I'll be using Scapy as tool to as a tool kit to work with other particles and you can see them on building an object identifier a valid object identifier that references description field and am appending some all letters A. which is 65 and ask a table then I build an IP packet IWT back and as as people but they couldn't with with communities string public and object identifier so of course this will not trigger that awful because this is the object identifiers completely fine i we get all the
the object identifiers that our rural I will respond to the basically the 2 ways you can I take the firmware and that just extract all the its from its it's easy to grab them they're stored in plaintext and another way is to actually a look at the
vulnerable MIPS and no visit there website always views and get
the old get all object identifiers from this website so as as a matter of fact the 1st crash I had was answers guy helps me a which is kind of related to implant protocol which it does not concern a concern us because so the focus so far Exploitation so on the
actual overflow was a in 1 of its object identifiers so this a request this I actually crashed the rotor the when a connected to
this a score of 1 of have as you cable i you will be my and there's a crash you will be presented with a stack face so we see here that well we get a corrupted program counter and we also see um the state of
registers that we have at the moment of crash so here if you can see it that we have the control over program counter and it's called ETC and also we control the contents of registers as 0 s 1 s 2 s 3 s 4 s 5 s 6 further inspection also provided me with knowledge that we have lost 60 spare by on the stacked work with but before we build the exploit we have some problems issues that had to be self and that is
yes we do control the program counter but when we jumped to is a is a lot on in can we execute code directly on the stack and the stack executable in we can place shall got on is data caching a problem for us and if were you you free all launch are shellcode can we just patch the code is the code section writable or is the code integrity check on the most important question is how can we and return the cold flow back 3 as and service because I was was is a single binary no running in the memory and if you have an exception in any threat of this big binary on Cisco devices all will perish
and you go at advisory 1 of the indicators of compromise as Cisco states is a device float so exploitation of the vulnerabilities will cause and effect to reload and we will be on would try to that will not crash as in the service the before we dive deeper into the from where I want to
reference previous researches on this matter this is by no means is a complete list but the but this research is actually helped me a lot of time and seem interesting a very insightful to me but you should definitely check them out the so for example Roure exploitation by Feliks the effects of in and Cisco wires shall by Georgians is a great resource for Iowa's internals agree reference to how I was works in terms of exploitation and the 3rd resource particle Cisco as is a greater inform exploiting Power PC-based Cisco switches and also great informed by passing common man mechanisms expert prevention as often I O S so
basically if I were to tell you how I was always in 1 slide it's basically a single binary running in in memory everything is statically linked into a single l file which gets start up of course you have no API whatsoever everything is the has no symbols whatsoever yes there is a Julie the library at the end of firmware but it's also the kind of hard to use it because I have so many different different versions of firmware and alphasub offsets jump and you know what the exact location of those functions to start with
static analysis he should probably top the farmer from them and a flash memory of the rotor use the copy command it's a paucity of TB and FTP protocols I to be downloaded from where the next thing you do is on
better from the firm or itself when the robbers starts loading it has a initial stop and that does the unpacking but you have to reverse-engineer that you just use be walked the will will do the and thank you for your the and you all the the
result of the biking with being walk into either pro and I have to change the processes type 2 MIPS 32 bit and and we know that as this is much because we saw the registers and this registers laws so that it was in the MIPS architecture so 1 thing or
another the actual from where gets loaded into address 8 0 0 at 0 0 but the the program counter is looking at it from at address for and this is because I I always wanted to a lot of different where signing maps the memory 2 4 0 0 F 0 0 and this is important because the right to have the correct cross-references United probe In after days
program to 4 the and after that and
you will have 4 all correct string cross references you have for all the necessary strings and here's a static analysis the set would be complete but in order to the Cumberland exploitation and it will not suffice to only have done you know I'm a pro loaded with a from where we all the cross-references you probably want to you know
set up and debug environment that is well known that I was candid but of i serial port but actually there is a GB kernel
commands and that is used to start and they internal due to the server or it was
because their functionality was removed to In the recent versions of I was and you generally run the but nonetheless there is a way to enable the gdb and this
way is to remove the device on a set of escape sequences to the serial and applying this will bring up the wrong monitor shall so rum monitor is a simple piece of firmware that gets loaded and run just before your from where it starts running and this Romani again manually your from where with the flag and which show will launch the whole from where on the gdb and after you're from where is loaded of the GDP will take this
is now you can just use your favourite gdb debugger and Linux and connected to the to spy west of riots the serial port because I was used as a slightly
different subset of commands of our GDP Perkowitz it's it has a server-side GDP by on the client side and I should be accustomed to this is due to the server basically there's publicly and I am officially available client-side determined debugging tools for I West and that is because this is intended for a Cisco engineers for us to be done although there have been some efforts from the community to build tools of to the book uh several versions of routers and switches on with virus and if you look
for ways to debug so Cisco IOS you will find more of you most we will find a tutorial on that so that you can actually batch an old version of GDP that's still supports I was but it actually never works because I tried is and all I could do the memory the
stepping that facing uh it it just doesn't work so in other arms way easiest way is to use a cool tool by the answers group it's called I did but it's a graphical debugger for I was a really works is to integrate to but the thing is it is only of it targets PowerPC Architecture and has some some problems you probably have to better debugger to be able to work with another option the last resort is to implement your own debugger for of the road and to do that you have
to know what a which commands actually a the school supports and not a lot so you can basically we've memory and and right memory and set and right registers and the only the program counter control command the step instruction so basically
it's kind of easy to implement such a to be debugger because all the information is just sent it as a plain text over a serial cable but independent with a check some of which is just as you see in so this way I was able
to them make a quick script by this group using our capstone to be able to the debug I was you can expect registers I there's a basic so breakpoint management we just right special control for a double word to be able to break against OA supports depends on also are good features to be able to that memory which we will use it later so I had to find the overflow the SNP overflowing the code 42 basically you can follow since we have all
the string crop cross references the default the string strings reference as in a beginner request and to step onto you the signs of the crash but in a more efficient method is just to present
devices and start inspecting the stack after the device is already that crashed you just have to dump the memory on the stack Helicon into their values the reference the coat of some of them will be return addresses and this will give you a hint of where the crash actually it's so the
actual program counter corruption happens in the function at bloke I function as a beast as their core flow so you can see here that at the end of a of a function we load of the values from the stacked registers as 0 to S 6 and also we have a low value into register R a and this is an important register is called the return address register and almost every function in MIPS uses this registered to i jump back to its parents functions so basically we have we have some space on the stack but the question is can we place or show called on this on the stack the and can we executed i'm because you know stack location is unpredictable every time you trigger and this vulnerability as separate space on the stack is allocated and you can't really
predicted so and valid or jump to Step constructions and firmer like we did on until 86 like a jump years the no such instructions in the firmware but even if we could find such instruction and indeed address space layout are randomization is on which means that code section and data section is based on different offset each time we're we would device which means that we can reliably jump to the instruction but also an unfortunate thing is that data caching and is also in place and so
that is a lot this is the 1st the 1st time I encountered the randomization of in as previous researches of and that there have been doing with the satellite about the diversity of the firmware so basically you had so many different versions of firmware when you exploited the versus could arise it couldn't really reliably jump to any code because this so vast diversity of different from where that was built by different people but here we actually have with the stack of up this space randomization and the text section and data section is loaded the different offset half H and reboot so something that really
abscesses is data caching so when we have the right shall go to step we think that it will be on the steps who actually happens all everything gets written into data cache and when we place our program counter to the stack all we get a executing garbage instructions which results in a crash once again so this public this is basically a data execution prevention well it's not it's it's the cash but 1 the solution to this problem is the same as for data execution prevention and it is the return oriented programming so uh but unfortunately was to have a a slot so we of their really jump to anything because it's on random offsets but here the raw monitor that I was talking about uh
comes to our rescue this little piece of software that gets loaded before the actual firmware might actually help us so the
1st thing we now want to find out where this bare-bones firmware is located and and interesting feature of this Roman show it's actually allowing you to disassemble of the Tree Memory parts and if you target this summer at an invalid address you'll get
a stack traces of reviewing the actual addresses of the ROM monitor and that's 1 of the most interesting
thing as a reminder is located at the of seal zeros and you can dump it using the debugger or you can just search the internet for the diversion and download the most interesting part about this piece of from is a matter of what ROM is located at the
same address and its persistent cross the woods and it's really great because we can use it
for the building of rock chains the inside of it so now we have a
theoretical but the possibility of circumventing as a lawyer this sitting on the cash problem so how would we nonetheless was of the of abuses false we jump to run we making in all we initiate a rupture in which makes an armature right to the using the core reuse technique and after that we have to have a recover the stack frame to all the SNP service to and restore the legitimate falsely this is really important because we want a world writing only 4 bytes and that is not enough for a for a full-fledged shellcode and we don't crash as viewer can exploit of this vulnerability over an hour ago over again those of building of shellcode in the memory to after we build the shellcode will make a jump to so but he is
how works with 0 flow this fact we all for the return just so it points to run minor we jump the ROM monitor of them what we do we actually find a gadget that we use is the data on our stack to make an arbitrary for byte right just before the of a text section then we have to find a gadget that will allow recover step for us so we can we restore the legitimate as in the execution golf ball so this is basically an overview of 1 cycle of how we write therefore by Our double word now
FIL they building rough changed so what is it what is returned oriented programming the in the the
so basically the idea is to not execute the shellcode directly but all to use the existing code in the binary to executer payload so you can I use stack not as a source of instructions by use the stack as a data for the cold that URI for using so you basically you said chain is that it's of code we call them gadgets and there you chain them together with a jumper toward a goal and instructions and Canada gadgets has to be made to requirements it has to actually execute our payload and also it also has to I condemn instructions that will transfer execution
flow to the next gadget or but if it's the last gadget it should transfer execution back to the as SNP service so the problems with a return oriented approach is that there is a limited set of gadgets and also if we talk about the from around 200 megabytes of code to the playoffs for different Gage's there you critic and barometer it's only 500 kilobytes of code so that a lot of call available and the 2nd major problem is that the gadgets and because most of them are a function that looks very motivator modified the stack frame because they delete the local variables after they jump back to the pattern function and you have to account for that because this is my question in the process you're exploiting rough
chains can be help basically the and are forced to do anything but mostly most of the time so we do arbitrary memory rights and the this is what actually might lead to arbitrary code execution so the
idea for the for of you from gadgets is that you find a gadget that loads data are from the stack into the registers and then you find 2nd gadget that works with the data in the mind of Frege's for example have lower 1 register on the 0 which contains the value 1 right in the other gadget as 0 which has addressed 1 rights so I
we actually want to find Gage's that also load of data from to a return register so we can jump to the next an extension I don't have to
little of look for these gadgets manually in I in there are a lot of different tools for building on the rod chains 1 of those tools is proper if you can find it on the have and really handy tool you search for the necessary instructions had to build let us to rock chain so
now the last technical part of how the Rob chains in this particular expert work and I will get to them all the so this is how how perfectly but help the spectrum looks like so you basically have local variables on the stack have returned just it also have a stick frame of pattern functions underneath the stack frame of all our the normal function so when we have know the local variables with our along object identifier here's what happens we call
flow the local variables and this variables actually up partly can get written to you as 0 and S 6 general-purpose registers we also of course offload return address which will jump for us to run wonder and we also have some 60 bytes of and after that we the stack frame of the next function and we use the data also for rupture what we do here we take the value of of as 0 we control the value of 0 as you remember and we move to register v 0 and that's for only a solely per purpose because of and all other gadgets in Rome wanted that use as 0 as a target of registered to write the data so we have to use ready to be 0 and that the most important part is the we load the return address from the data to the and also how we loaded the address will write to of from the raw data to so basically right now at this gadget I stops executing we have as 0 points to memory want to write to and the 0 contains them by the time of flight contains 4 bytes will be writing just before the code sections so the final gadget that pretty is performing the audition right is the gadget that takes the value of the register v 0 and writes 2 . reference that referenced by the register as 0 and the last thing it does I actually a transfers the control back to the gadget which will recover the step for have the most important guy gadgets and it allows us to run the expert several times you might have noticed that the previous gadgets actually moved to that pointer but 30 bytes and hacks a down the don't and this actually means that the process is that we will return to will crash if we don't point the stack pointer the just between 2 stack frames we find a gadget that will move the stack pointer down to 220 and bites and hacks will which will result in a perfectly healthy separate also below the return address to register and are a God and it points to the parents function they're called all over all over the world and functions to this way
we perform an arbitrary for right we can do this several times until shellcode code i is actually on just before the text sections and the final thing we do we offer this deck again and jump over to the shock of he was about the show called the wiser was
working with I had a Telnet services and had a password so I design a simple shellcode I will just batch the authentication a colorful so it as you can see here we have a function of a login password check and the result which is In the 0 register is checked whether they're of indication was successful or not we can build a shall collegial which will just batch of this instruction which checks a login password check and will allow us to make credential lists of indication against all that service the still the what it does
basically the shellcode I inspects the stack and the return address on it to calculate the SLR a lot of set because and and of course the age lies on for the code section and we want to batch something in it and after that you rights is 0 which is not construction in to work all the objects of a best for for talent and also for and enable password and now that just jumps back to SMB service so now the long awaited
demo let's see if I can make it like them the the you the no we so here we
have a 0 connection had to a device it is you have a to have a shell so what we do now we have inspect the password on the Telnet services to make sure it's working as intended so we see a that press words when don't know the password for the device what we do know i it will launch the actual acts like as parameters it takes the house community and shellcode hats we the the so this is the shellcode also can about that
patches the colorful in authentication the so it's right to so the this so here you see that we initiate
writing the 4 byte sequences into
the text section basically this rise the shellcode into the memory so after the exploits finisher this which is have to jump to shock of it if so it seems the please don't crash yes a few of of em so but whose letters training
thank you so and of course you can build a shock of
that will onset this behavior and the batch depresses back to enable the password and on the side knows how reliably can you exploit this 1 ability so of course there hasn't been a public community will lead you the version of the particular rather but it does not lead to the version of Rome on an we're basically constructing rough chains in the raw monitor the
so actually have not that many versions of from parameters available you have only 5 if we're talking about a 20 100 so that were stationary just you you question 4 times the so like you have to crash at 4 thousand times to you know be days lot but there is a 2nd
options which is interesting part 1 is designed to be upgraded so basically a system administrator can and all the new version an updated but the thing is that we only region that contains the stock from 1 is always in place and is always at the same offset
so even if the update is the role monitor and the read only version of it the old version that always been there will always be at the FC all zeros so basically the assumption is that all the devices manufactured at the same time and place they will have the same recalling or or monitor you can query
just real number of parameters using isn't so for example my ailab broader is manufactured in the year of 2008 in Czech Republic so it has the following version of from 1 so guys do you know to summarize about all this do not leave default credentials on
store that works so public communities are not designed to be placed on external networks of for the short on to find it they carefully exposed on the external networks and of course edge of your devices and a watch for the end of life announcement my sister sorry the should who 1 had what is the thank you so much for your
attention if and that's where some of I suppose there are some questions so in this audience please think microphone can no 1 on the internet it they are flabbergasted here it seems no the I can't remember 1 I'm I'm a random network and then and I know that people tend to use the same as in the community on many of the routers and mind you use that basically if you can get access to a read only on those brothers you will be able to reject that or like use the same principle so basically don't use the same as in the community on the bold you devices that would be little something about the main thing is to update your hours because it's a patch for a very the patch released in September of 2007 thing but if you tend to use the and the life products like about 20 800 it probably should use strong community strength thank you thank you someone else having question there yes someone on the internet is alive it's the life let's try the and I've actually got a microphone and the Internet is asking how much time do you put into this whole project all working on this exploit it consistent around the it's a 4 weeks for each from the discovering the device and external network to the final exploit this thank you I'd I have a question maybe for you as well as you you as well of the further you have lots of volunteers who were working reduce swelling in in researching these exports are volunteers yeah I don't know no lecture we don't have any volunteers this is all part of my work you object it and it thank you very much for that thank you very much for this in this really revealing lecture and if someone suing of of just forgot to see is Michael I came to the actual proof of concept and the debugger will be released in a few days so that by this group with a capstone and uh actual proof of concept all publishers and in a partial but there is a few few some what
it is and and and it would cut but at but at at
Wechselsprung
Datenfeld
Punkt
Wort <Informatik>
Exploit
Softwareentwickler
Cisco IOS
Softwaretest
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Stellenring
Datenmanagement
Kontextbezogenes System
Exploit
Dynamic Host Configuration Protocol
Schwingung
Softwaretest
Flächeninhalt
Pufferüberlauf
Code
Mereologie
Protokoll <Datenverarbeitungssystem>
Server
Softwareschwachstelle
Hacker
Cisco IOS
Metropolitan area network
Resultante
Stellenring
Subtraktion
Konfiguration <Informatik>
Punkt
Prozess <Physik>
Datenmanagement
Mathematische Logik
Binärcode
Code
Open Source
Leck
Umwandlungsenthalpie
Datenmanagement
Code
Kommunalität
Protokoll <Datenverarbeitungssystem>
Softwareschwachstelle
Telnet
Hacker
ATM
Prozess <Physik>
Prozess <Informatik>
Vorzeichen <Mathematik>
Quellcode
Konfiguration <Informatik>
Software
Freie Oberfläche
Mereologie
Gamecontroller
Partikelsystem
Modelltheorie
Versionsverwaltung
Fehlermeldung
Cisco IOS
Einfach zusammenhängender Raum
Leck
Expertensystem
ATM
Nichtlinearer Operator
Vektorpotenzial
Prozess <Informatik>
Konfigurationsraum
Systemplattform
Interaktives Fernsehen
Exploit
Knotenmenge
Fluss <Mathematik>
Softwaretest
Exploit
Pufferüberlauf
Datennetz
Wort <Informatik>
Tragbarer Personalcomputer
Lesen <Datenverarbeitung>
Router
Web log
Default
Exploit
Code
Homepage
Zeichenkette
Mapping <Computergraphik>
Rohdaten
Exploit
Softwareschwachstelle
Datennetz
Code
Server
Default
Neuronales Netz
Zeichenkette
Router
Schnittstelle
Desintegration <Mathematik>
Dienst <Informatik>
Code
Multi-Tier-Architektur
Client
RPC
Code
Computersicherheit
Softwareschwachstelle
Biprodukt
Kraftfahrzeugmechatroniker
Architektur <Informatik>
Exploit
Datenfluss
Mechanismus-Design-Theorie
Debugging
Server
Computerarchitektur
Stapelverarbeitung
Versionsverwaltung
Term
Cisco IOS
Lesen <Datenverarbeitung>
Zeichenkette
Expertensystem
Maschinenschreiben
Protokoll <Datenverarbeitungssystem>
Pufferüberlauf
Objekt <Kategorie>
Datenmanagement
Element <Mathematik>
Information
Einsteckmodul
Übergang
Objekt <Kategorie>
Netzwerktopologie
Datenmanagement
Basisvektor
Ablöseblase
Server
Identifizierbarkeit
Information
Resultante
Punkt
Protokoll <Datenverarbeitungssystem>
Versionsverwaltung
Systemzusammenbruch
Information
Endogene Variable
Objekt <Kategorie>
Zeichenkette
Deskriptive Statistik
Software
Datenfeld
Lesen <Datenverarbeitung>
Identifizierbarkeit
Quadratzahl
Versionsverwaltung
Objekt <Kategorie>
Deskriptive Statistik
Datenfeld
Fuzzy-Logik
Firmware
Statistische Analyse
Validität
Firmware
Identifizierbarkeit
Partikelsystem
Software Development Kit
Tabelle <Informatik>
Objekt <Kategorie>
Web Site
Protokoll <Datenverarbeitungssystem>
Pufferüberlauf
Zahlenbereich
Proxy Server
Systemzusammenbruch
Identifizierbarkeit
Exploit
Lastteilung
Fokalpunkt
Gerade
Stellenring
Fehlermeldung
Differenzengleichung
Kontrollstruktur
Momentenproblem
Ausnahmebehandlung
Gewichtete Summe
Content <Internet>
Systemzusammenbruch
Softwareentwicklung
Information
Systemzusammenbruch
Keller <Informatik>
Software
Adressraum
Gamecontroller
Inhalt <Mathematik>
Zentraleinheit
Prozess <Informatik>
p-V-Diagramm
Ausnahmebehandlung
Softwareentwicklung
Exploit
Binärcode
Datenfluss
Code
Keller <Informatik>
Integral
Patch <Software>
Exploit
Garbentheorie
Konsistenz <Informatik>
Softwareschwachstelle
Code
Adressraum
Schwimmkörper
Server
Garbentheorie
Indexberechnung
Aggregatzustand
Router
Subtraktion
Versionsverwaltung
ROM <Informatik>
Term
Binärcode
Wechselsprung
Rechenschieber
Programmbibliothek
Drei
Leistung <Physik>
Metropolitan area network
Soundverarbeitung
Binärcode
Eindringerkennung
Expertensystem
Kraftfahrzeugmechatroniker
Lineares Funktional
Einfache Genauigkeit
Symboltabelle
Mailing-Liste
Exploit
Elektronische Publikation
Arithmetisches Mittel
Rechenschieber
Exploit
Festspeicher
Firmware
Partikelsystem
URL
Cisco IOS
Hydrostatik
Router
Flash-Speicher
Filetransferprotokoll
Filetransferprotokoll
Adressraum
Flash-Speicher
Firmware
Cisco IOS
Analysis
Leck
Resultante
Hydrostatik
Binärcode
Architektur <Informatik>
Prozess <Physik>
Adressraum
Softwareentwicklung
Gesetz <Physik>
Analysis
Mapping <Computergraphik>
Last
Vorzeichen <Mathematik>
Rechter Winkel
Festspeicher
Datentyp
Computerarchitektur
Zentraleinheit
Hydrostatik
Fehlermeldung
Explosion <Stochastik>
Softwareentwicklung
Programmierumgebung
E-Mail
Exploit
Analysis
Kernel <Informatik>
Zeichenkette
Spezialrechner
ASCII
Menge
Serielle Schnittstelle
Ordnung <Mathematik>
Programmierumgebung
Zeichenkette
Analysis
Folge <Mathematik>
Lineares Funktional
Kernel <Informatik>
Folge <Mathematik>
Server
Konfiguration <Informatik>
Versionsverwaltung
Programmierumgebung
Gerade
Software
Funktion <Mathematik>
Menge
Serielle Schnittstelle
Fahne <Mathematik>
Flash-Speicher
Ein-Ausgabe
Firmware
Maskierung <Informatik>
Server
Serielle Schnittstelle
Booten
Versionsverwaltung
Server
Subtraktion
Computervirus
Teilmenge
Versionsverwaltung
Firmware
Teilmenge
Client
Lesezeichen <Internet>
Code
Debugging
Protokoll <Datenverarbeitungssystem>
Client
Ablöseblase
Server
Serielle Schnittstelle
Router
Cisco IOS
Festspeicher
Debugging
Gruppenkeim
Versionsverwaltung
Tragbarer Personalcomputer
Patch <Software>
Stapelverarbeitung
Versionsverwaltung
Cisco IOS
Konfiguration <Informatik>
Server
Menge
Rechter Winkel
Stochastische Abhängigkeit
Festspeicher
Debugging
Gamecontroller
Debugging
Softwareentwicklung
Information
ROM <Informatik>
Endogene Variable
Gruppenkeim
Datenmanagement
Debugging
ROM <Informatik>
Code
Zeichenkette
Datenmanagement
ASCII
Pufferüberlauf
Vorzeichen <Mathematik>
Code
Festspeicher
Gamecontroller
Softwareschwachstelle
Skript <Programm>
Wort <Informatik>
Skript <Programm>
Default
Zeichenkette
Lineares Funktional
Raum-Zeit
Adressraum
Systemzusammenbruch
Softwareentwicklung
Hausdorff-Raum
Datenfluss
Raum-Zeit
TLS
Keller <Informatik>
Zeichenkette
Pufferspeicher
Wechselsprung
Funktion <Mathematik>
ASCII
Softwareschwachstelle
Code
Adressraum
Festspeicher
Vererbungshierarchie
Softwareschwachstelle
Versuchsplanung
Speicherabzug
URL
Randomisierung
Konstruktor <Informatik>
Satellitensystem
Fehlermeldung
Subtraktion
Konfiguration <Informatik>
Raum-Zeit
Adressraum
Versionsverwaltung
Code
Raum-Zeit
Keller <Informatik>
Wechselsprung
Code
Adressraum
Firmware
Randomisierung
Garbentheorie
Resultante
Router
Softwareentwicklung
Spielkonsole
Systemzusammenbruch
Wurm <Informatik>
Physikalisches System
Spezialrechner
Task
Software
Code
Proxy Server
Randomisierung
Booten
Passwort
Kette <Mathematik>
Hardware
Caching
Prozess <Physik>
Konfigurationsraum
Softwareentwicklung
Firmware
Software
Rechter Winkel
Caching
Firmware
Leck
Internetworking
Ausnahmebehandlung
Adressraum
Debugging
ROM <Informatik>
Internetworking
Netzwerktopologie
Last
Code
Adressraum
Festspeicher
Mereologie
Firmware
Debugging
Disassembler
Ablaufverfolgung
Versionsverwaltung
TLB <Informatik>
Kontrollstruktur
Rahmenproblem
Adressraum
Gebäude <Mathematik>
Systemzusammenbruch
Gebäude <Mathematik>
ROM <Informatik>
Viewer
Wechselsprung
Verkettung <Informatik>
Wechselsprung
Softwareschwachstelle
Rechter Winkel
Proxy Server
Festspeicher
Server
Speicherabzug
Kette <Mathematik>
Kontrollstruktur
Code
Dreiecksfreier Graph
Softwareentwicklung
Garbentheorie
Wort <Informatik>
Datenfluss
Wiederherstellung <Informatik>
Keller <Informatik>
Binärcode
Lineares Funktional
Subtraktion
Prozess <Physik>
Rahmenproblem
Wurm <Informatik>
Systemaufruf
Quellcode
ROM <Informatik>
Datenfluss
Code
Limesmenge
Keller <Informatik>
Wurm <Informatik>
Open Source
Variable
Verkettung <Informatik>
Code
Wärmeübergang
Mustersprache
Konditionszahl
Server
Kette <Mathematik>
Last
Verkettung <Informatik>
Last
Rechter Winkel
Adressraum
Code
Festspeicher
Gruppoid
ROM <Informatik>
Hilfesystem
Code
Gruppenoperation
Subtraktion
Verkettung <Informatik>
Wechselsprung
Last
Adressraum
Gebäude <Mathematik>
Gruppoid
Maßerweiterung
Keller <Informatik>
Modallogik
Punkt
Prozess <Physik>
Kontrollstruktur
Rahmenproblem
Wort <Informatik>
Adressraum
Content <Internet>
Wärmeübergang
Bildschirmfenster
Punktspektrum
Code
Last
Variable
Code
Adressraum
Mustersprache
Vererbungshierarchie
Punkt
Zeiger <Informatik>
Lineares Funktional
Expertensystem
Zeiger <Informatik>
Datenfluss
Variable
Keller <Informatik>
Objekt <Kategorie>
Verkettung <Informatik>
Wechselsprung
Rechter Winkel
Festspeicher
Mereologie
Grundsätze ordnungsmäßiger Datenverarbeitung
Gamecontroller
Garbentheorie
Identifizierbarkeit
Inklusion <Mathematik>
Resultante
Lineares Funktional
Mailing-Liste
Patch <Software>
Login
Code
Keller <Informatik>
Telnet
Authentifikation
Rechter Winkel
Code
Adressraum
Ablöseblase
Server
Authentifikation
Garbentheorie
Passwort
Indexberechnung
Stapelverarbeitung
Konstruktor <Informatik>
Demo <Programm>
Adressraum
Patch <Software>
Code
Keller <Informatik>
Objekt <Kategorie>
Wechselsprung
Garbentheorie
Menge
Rechter Winkel
Adressraum
Code
Server
Telnet
Garbentheorie
Passwort
Passwort
Stapelverarbeitung
Einfach zusammenhängender Raum
Parametersystem
Stellenring
Datentyp
Nabel <Mathematik>
Programmverifikation
Maskierung <Informatik>
Zeichenkette
Message-Passing
Telnet
Server
Telnet
Gerade Zahl
Passwort
Wort <Informatik>
Passwort
Bitrate
Folge <Mathematik>
Wellenpaket
Programmverifikation
Systemzusammenbruch
Zeitstempel
Chiffrierung
Physikalisches System
Message-Passing
Telnet
Passwort
Booten
Eins
Programm/Quellcode
Konfigurationsraum
Datenmodell
Exploit
Maskierung <Informatik>
Zeichenkette
Patch <Software>
Wechselsprung
Rechter Winkel
Festspeicher
Flash-Speicher
Authentifikation
Garbentheorie
Versionsverwaltung
Zeitzone
Leck
Verkettung <Informatik>
Exploit
Versionsverwaltung
Stapelverarbeitung
Versionsverwaltung
Parametersystem
Router
Installation <Informatik>
Systemverwaltung
Desintegration <Mathematik>
Versionsverwaltung
Systemverwaltung
Dienst <Informatik>
Gleitendes Mittel
Information
Konfiguration <Informatik>
Physikalisches System
Software
Einheit <Mathematik>
Mereologie
Versionsverwaltung
Kette <Mathematik>
Zeichenkette
Router
Parametersystem
Reelle Zahl
Serielle Schnittstelle
Versionsverwaltung
Default
Lesen <Datenverarbeitung>
Videospiel
Datennetz
Zufallsgraph
Gruppenkeim
Familie <Mathematik>
Biprodukt
Internetworking
Patch <Software>
Datennetz
Beweistheorie
Mereologie
Debugging
Projektive Ebene
Passwort
Speicher <Informatik>
Lesen <Datenverarbeitung>
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel 1-day exploit development for Cisco IOS
Serientitel 34th Chaos Communication Congress
Autor Kondratenko, Artem
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34812
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback