Cisco IOS Router Exploitation

GoSSIP @ LoCCS.Shanghai Jiao Tong University

Cisco 防火墙 漏洞挖掘

Cisco IOS Router Exploitation 来自BlackHat'2009。作者讨论了Cisco IOS路由器中的漏洞利用问题。

Available Vulnerabilities

• 2008 年Cisco Systems’ Product Security Advisory公开了14个漏洞，基本上所有的描述都是造成DoS
• 有理由相信不是memory corruption而是 insufficient handling of exceptional states
• Service Vulnerabilities
  • 防火墙，导致现在(2009年)攻击开始从server向client转移
  • Cisco IOS里有HTTP(S), FTP, TFTP, SSH, TELNET, 但是”For attackers seeking to gain control of important network infrastructure, such services are not of interest, as well-managed networks will not make use of such services on their core routing infrastructure.”
  • 网络设备中会使用的协议EIGRP, OSPF, ISIS, BGP
    • BGP: the service will not be visible as such to any remote network node
    • Other routing specific services, such as OSPF and EIGRP, require the network traffic to be received on an IPv4 multicast address, effectively making - sure that the sender is within the same multicast domain as the receiving router.
    • 但是Cisco IOS IP options vulnerability是一个例外
    • 其他今年加入到IOS的服务包括VoIP， SSL VPN， 包过滤Web Service Management Agent(SOAP),XML-PI和H.323
• Client Side Vulnerabilities：But up until now, client side vulnerabilities have not played any role in Cisco IOS attacks.
• Transit Vulnerabilities
  • triggered by traffic passing through the router
  • Transit Vulnerabilities are extremely rare.
    • 原因在于包转发通过fast-path转发，所以除了第一个包之外，其他的处理过程都通过硬件来做了。。
    • 还有一些包会被”punted”, 从硬件退回给CPU来处理，作者提了两个可能:（1）目的IP是Router自己，但是这就不再是一个Transit Vul了；（2）IP fragment reassembly
  • So far, no true Transit Vulnerability is known to the author.

http://www.securitygossip.com/blog/2016/04/22/2016-04-22/