Owning IOS at Black Hat 2005

Photo of author



Revised August 1, 2005

NOTE: In response to legal action initiated by Internet Security Systems (ISS), photographs of Michael Lynn’s slides have been removed. Full copies of the presentation may still be found on the Internet.

Being arrested or sued is not positive experience, but for speakers at Black Hat and Defcon, it is a badge of honor. On July 27, Michael Lynn, a computer security expert, demonstrated how to gain administrator access to many Cisco routers and switches. This demonstration occured during Lynn’s scheduled talk on the vulnerabilities of Cisco IOS at the 2005 Black Hat Briefings in Las Vegas.

As a result of the talk, Lynn incurred the wrath of his former employer Internet Security Systems (ISS) and Cisco Systems. In the space of a few hours, Lynn became unemployed and was also served with a lawsuit.

Michael Lynn looks on as he gains adminstrator privileges to a Cisco Router

Michael Lynn looks on as he gains adminstrator privileges to a Cisco Router

While Lynn did not provide a step-by-step on how to break into Cisco routers, he provided enough details for experienced professionals to figure out the rest of the process. In this report, I will show you some of the slides used during his talk and give an outline of the steps.

Why should we care about Cisco IOS?

Cisco’s Internetworking Operating System, or IOS, is the intelligence behind most of the networking devices on the Internet. Most computer users worry about their PCs being compromised by viruses and worms, but in the grand scheme of things on the Internet, these sorts of attacks are relatively unimportant. They make the user’s individual life painful, but they don’t generally have much impact on the rest of the network.

But routers are the glue that holds the Internet together – especially Cisco’s gear, which is by far the most prevalent router hardware. A successful attack on Cisco routers can impact well, nearly everything.

Essentially, routers connect networks together. Just as there are multiple ways you can get to work, there are many ways a packet can cross the Internet. With the help of IOS, the main purpose of routers is to direct traffic across the Internet by deciding the path packets should take.

Lynn described a “Digital Pearl Harbor” scenario where a worm runs rampant across the Internet, breaking every router in its path. Without functioning routers, the Internet would cease to exist. To some, this scenario is a minor inconvenience that may prevent them from playing World of Warcraft. But for others, it could be a life and death situation. Important medical data such as prescription or other patient medical information may need to get to a hospital within minutes, and the Internet could be the only way.

Many Windows users are accustomed to regular patching and updating of their operating systems, but network administrators are understandably cautious about applying IOS patches without stringent acceptance testing. And in the face of a Digital Pearl Harbor attack, Cisco won’t be able to distribute patches over the Internet. Lynn says, “How are you going to ship out patches when every router is dead?”

Misconceptions and Realities about Cisco IOS

Lynn pointed out several misconceptions about Cisco IOS and then talked about the realites. As discussed earlier, many people think that routers and switches are mainly hardware, but in reality, the software is the most important piece.

Routers have the reputation of being very stable and secure devices, but according to Lynn, routers are vulnerable to buffer overflows and can crash just like any other computer.

Slide removed due to ISS Legal Action

Misconceptions about IOS Slide

Higher level router features are based on low level functions. Any fixes to these low level functions must be cataloged and then tested under many conditions to determine that the fix actually works and doesn’t affect the stability of the router. As a result, these low-level functions aren’t often changed because they are so difficult and time consuming to fix.

As a result, Lynn’s attack should work against most versions of IOS, because the low-level functions tend to remain the same. So a hacker must figure out by trial and error where the buffer overflows occur, and how to trigger the vulnerabilities. This is tedious, but hardly impossible – it’s the same technique used for all buffer overflow attacks, on Windows and Linux and Solaris as well as (now) on IOS.

Slide removed due to ISS Legal Action

The realites of Cisco IOS Slide

The Process of Hacking a Cisco IOS based router

At the beginning of his talk, Michael Lynn connected to a Cisco router, ran his shell script and obtained the “enable” prompt. The enable prompt means you can do anything you want, and is akin to the Administrator account in Windows or the root user in Linux.

Lynn did not show the exact contents of the shell script, but gave a “30,000 foot view” of how he constructed the attack script.

Slide removed due to ISS Legal Action
At first glance, an overflow attack may be hard

The attack begins with a buffer overflow attack and tries to write information to the heap, which is an area of unused memory allocated when the router starts. At first this seems difficult, as Cisco IOS continually checks the heap for bad data. If bad data is detected, then the router reboots and starts fresh. But while this “heap checker” process usually works very well, it can be tricked into dying.

Are We Going to Crash?

As explained earlier, the heap checker will reboot the router if it detects bad data. Lynn disassembled the inner workings of Cisco IOS and discovered that this “abort” function will be interrupted if it sees that it is crashing already. Think of this as hitting Control-Alt-Delete several times in a row, but having Windows ignore it, because you already executed the key combination.

Slide removed due to ISS Legal Action
IOS doesn’t crash if it thinks it’s crashing already

So the trick is to make Cisco IOS think it is already crashing, before it actually does crash. This an example of a race condition, where events causes unexpected results when racing against each other.

Slide removed due to ISS Legal Action

Check Heap slide

Lynn was able to trick the router into thinking that it was already crashing by doing an uncontrolled pointer exchange. After this, you can overflow the heap for a few minutes, until the router completely locks up.

Final Steps and Covering Your Tracks

After gaining the ability to write to the heap, an attacker would then find the memory locations that correspond with starting a new process. Every command is stored in memory, and the trick is to find the proper location to execute the command. As discussed previously, this location is different for the different releases of Cisco IOS.

Setting up a TTY on a Cisco router basically tells the router that an additional connection can be made. Then a socket is created as sort of a loopback into that connection. This allows you to start the command shell, which gets you to the “enable” prompt. Lynn says that you can then kill the logger process to hide your tracks. This is similar to removing the sign-in book for a building.

Slide removed due to ISS Legal Action

Shellcode Check List Slide

What exactly can a attacker do after gaining administrator access?

Attackers who gain the “enable” prompt on a Cisco router can do almost anything with that router. For example, BGP (Border Gateway Protocol) is the main routing protocol used in directing traffic across the Internet. Lynn says that an attacker could change the BGP route metrics, causing traffic to either miss its destination or slow down the Internet. Depending on the skill of the network adminstrator, it may take a long time to discover the change, if it is discovered at all.

A router is an inherently trusted machine on the Internet. So Man-in-the-Middle attacks could also be performed, as a router is the ultimate man in the middle. After all, your email flows through several, if not dozens, of routers while traveling to its destination. Imagine if a router could be instructed to forward all packets to an alternate destination. Obviously this would be a horrible situation, especially if it were done to a router at a major network exchange.

Getting Rid of the Messenger and the Evidence

Michael Lynn faced two severe consequences for giving his talk. Literally just hours before the start of the talk, he was forced to resign from his employment at Internet Security Systems and he knew that a lawsuit was about to filed against him. Lynn said during the talk, “Up until two hours ago I had a job, and I’m about to be sued into oblivion.”

Michael Lynn was supposed to speak to the press after finishing his talk, but he mysteriously disappeared for a few hours. A few hours after the talk, process servers caught up with Lynn and served him with a restraining order from Cisco and ISS. There are rumors that the Electronic Freedom Foundation may help in his defense.

In addition to trying to silence the messenger, Cisco and ISS tried to get rid of the message. Black Hat attendees usually receive copies of all the presentation slides in a massive three inch thick red book, but this conference was different. Someone obviously didn’;t want Lynn’s talk to be available, and just a few days before the start of the conference, people were sent in to cut and tear the offending pages out of all the books. This is quite a feat, considering that a few thousand people attend Black Hat.

In addition to the printed slides, attendees receive a CD-ROM of the talks. Some of the CDs were already printed, but it is unclear if any have reached the wild.

Is This The End of The World?

Michael Lynn doesn’t think the end of the world is coming and that you are probably safe if you upgrade to the latest versions of Cisco IOS. But he also thinks routers are still vulnerable. Many people do not upgrade IOS out of fear or ignorance. In addition, network administrators will often hold off on newer versions in order to not compromise the stability of their routers.

Slide removed due to ISS Legal Action
End of the World?

Although Cisco says that the April update of IOS is patched against this attack, it is unclear if it is an actual patch or if the attack just doesn’t work because of a different memory offset from previous versions. Since the attack depends on hitting the right memory addresses where certain functions reside, new IOS versions will prevent the attack – that is until a hacker finds the correct addresses. Cisco could be claiming that the new version is actually a patch, when in fact it may just be a change in memory addresses.

Lynn wanted to help people and the government secure their routers by presenting what he discovered at Black Hat. He says that the IOS source code has been stolen twice and that hackers around the world are now working to exploit IOS. He has seen evidence of this on Chinese bulletin boards where hackers talk about performing exploits on routers.

“I want to prove the threat is real,” Lynn said during the talk.

Related posts

Vendor Views: Is Your Network Media Aware?

In our first vendor-contributed article, Ubicom makes the case for its StreamEngine auto-QoS technology.

Confessions Of A 10 GbE Network Newbie – Introduction

Thinking about making the move to 10GbE? Follow along with one company's journey into the higher-speed world of 10-gigabit Ethernet.

Confessions Of A 10 GbE Network Newbie – Part 6: DIY 10GbE Server

The final installment of our 10GbE basics series details a 10GbE DIY server build.