Presentation Material
Abstract
iOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approximately 300,000 unique IOS images in existence, a new class of version-agnostic shellcode is needed in order to make the large-scale exploitation of Cisco IOS possible. We show that such attacks are now feasible by demonstrating two different reliable shellcodes which will operate correctly over many Cisco hardware platforms and all known IOS versions.
We propose a two-phase attack strategy against Cisco routers and the use of offline analysis of existing IOS images to defeat IOS firmware diversity. Furthermore, we discuss a new IOS rootkit which hijacks all interrupt service routines within the router and its ability to use intercept and modify process-switched packets just before they are scheduled for transmission.
This ability allows the attacker to use the pay- load of innocuous packets, like ICMP, as a covert command and control channel. Furthermore, the same mechanism can be used to stealthily exfiltrate data out of the router, using response packets generated by the router itself as the vehicle. We present the implementation and quantitative reliability measurements by testing both shellcode algorithms against a large collection of IOS images.
As our experimental results show, the techniques proposed in this paper can reliably in- ject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes the last hurdle in the large-scale, reliable exploitation of Cisco IOS. Thus, effective host-based defense for such routers is imperative for maintaining the integrity of our global communication infrastructures.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker, an expert in iOS security research, presents their findings on exploiting vulnerabilities in Cisco iOS devices. They highlight that most of their testing has been against malicious code they’ve written or found through proof-of-concept code from other researchers, but they would like to test their defenses against real-world iOS malware. The speaker invites others with access to such malware to collaborate and conduct a “friendly shootout” to evaluate the effectiveness of their defenses.
The presentation focuses on exploiting interrupt handlers in Cisco iOS devices, which is a relatively easy task due to the fixed 32-bit pattern used in the op code. Once shell code can be executed reliably, it becomes trivial to exploit these vulnerabilities.
The speaker clarifies that their research does not involve using Raman or any other undocumented commands to execute payloads. They also mention that they have only tested their methods on iOS devices up to version 12.4 and plan to investigate iOS XR in the future.
In response to audience questions, the speaker explains that getting shell code to execute reliably is a significant challenge, but once overcome, it becomes relatively easy to exploit these vulnerabilities. They also discuss the possibility of creating a fingerprint database for Cisco iOS devices, which could be used to improve security. Finally, the speaker emphasizes the need for modern defenses, such as memory virtualization and isolation, to improve the security of these devices.