C3Subtitles: 34c3: 1-day exploit development for Cisco IOS
back

1-day exploit development for Cisco IOS

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:45:36
Language
English
Abstract
Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.

On March 17th, Cisco Systems Inc. made a public announcement
that over 300 of the switches it manufactures are prone to a critical
vulnerability that allows a potential attacker to take full control of
the network equipment.

This damaging public announcement was preceded by Wikileaks'
publication of documents codenamed as "Vault 7" which contained
information on vulnerabilities and description of tools needed to access
phones, network equipment and even IOT devices.

Cisco Systems Inc. had a huge task in front of them - patching
this vast amount of different switch models is not an easy task. The
remediation for this vulnerability was available with the initial
advisory and patched versions of IOS software were announced on May 8th
2017.

I decided to reproduce the steps necessary to create a fully working tool to
get remote code execution on Cisco switches mentioned in the public announcement.

Another big vulnerability was disclosed in June 2017. This was a remote
code execution vulnerability in an SNMP service affecting multiple Cisco
routers and switches.

I will share the techniques and tools I used while researching vulnerable
Cisco switches and routers. Reverse engineering and debugging IOS under PowerPC
and MIPS architectures will be the focus of this talk.

We all heard about modern exploit mitigation techniques such as
Data Execution Prevention, Layout Randomization. But just how hardened
is the network equipment? And how hard is it to find critical
vulnerabilities in network devices?

Talk ID
8936
Event:
34c3
Day
1
Room
Saal Clarke
Start
4:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Artem Kondratenko

Talk & Speaker speed statistics

Very rough underestimation:
120.8 wpm
666.2 spm
121.9 wpm
672.9 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%

Talk & Speaker speed statistics with word clouds

Whole talk:
120.8 wpm
666.2 spm
Artem Kondratenko:
121.9 wpm
672.9 spm