Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Lynn presentation leaks onto Net

Cisco legal action backfires.

Article comments

The controversial presentation by researcher Michael Lynn regarding exploitation of known holes in Cisco's router software has leaked onto the Internet.

Copies of the 1.9MB PDF file have popped up on a number of websites, risking the kind of widespread and global dissemination that Cisco had sought to avoid.

This week, Cisco first pressured Lynn's former company Internet Security Systems (ISS) into removing the presentation from the line-up at the Black Hat security conference in Las Vegas.

Then, when Lynn resigned from ISS in protest and threatened to go ahead with the presentation, Cisco took out an injunction against him. Lynn nevertheless did the presentation stating that he "had to do what was right for the country and the national infrastructure".

Cisco, ISS, Black Hat and Lynn have since signed a legal agreement in which Black Hat and Lynn promised not to make the material available to anyone else. Lynn was also put under a series of controls including "unlawfully disassembling or reverse engineering Cisco code in the future ... [and] using Cisco decompiled code currently in his possession or control for any purpose."

Cisco's heavy-handed approach has backfired however, with the story making news bulletins across the world and turning a relatively obscure presentation into a much sought-after item. Despite Cisco's best efforts, the Internet appears to have done what it is best at - providing information to vast amounts of people in an extremely short period of time. Any efforts by Cisco to keep the presentation under wraps are now more likely to increase the Internet community's determination to expose it.

It is not difficult to see why Cisco was irritated with the presentation, even though the flaws are known and even though Lynn does not provide all the information necessary to exploit them.

The second slide of the presentation, teasingly titled "The Holy Grail: Cisco IOS Shellcode and Explotation Techniques", pictures the Titanic sinking with the legend "Another Unbreakable System".

The presentation then goes into why the problem with holes in Cisco's code are so significant - basically Cisco routers are a good chunk on the Internet. It lists "Misconceptions" such as "It is not possible to overflow buffers on IOS"; "There is no way to exploit buffer overflows on IOS"; and "Every router is so different that an exploit might work on one router but never another". You can see where he's headed.

It goes on to list the weaknesses in Cisco's IOS, such as addresses are static and that it prefer rebooting over correcting errors. And it warns that exploitation can be made reliable - i.e. attack can be automated, making it possible to stick in a hacking toolkit and make the problem a million times worse.

Nevertheless, Lynn says that the IOS code is better than most and Cisco appears to be aware of most normal security problems.

However, Lynn then goes on to show how IOS has been exploited and how it can continue to be exploited. It's technical stuff but it gives all the relevant pointers and troubleshooting points. He outlines how to make a system think it is crashing, providing a few minutes in which a heap overflow can be exploited to get at valuable information.

He then runs through the process by which this information can then be fired back at a system to gain access. The nine-point process outlined is summised thus:

  1. Get execution
  2. Clean up what we broke
  3. Spawn process
  4. Allocate and setup TTY
  5. Make connect-back TCB
  6. Start Shell
  7. Kill logger process
  8. Exit Initial
  9. World Domination

The last slide asks "Is this the end of the world?" Yes and no, mostly no, is the answer. Cisco is working on the problem, keeping firmware images up-to-date should cover people, and making a variety of worms will be very difficult.

However - and this was clearly another concerns of Cisco's - Lynn warns that Cisco is going to make the problem significantly bigger if it continues with its plan to add "virtual processes" to IOS.

You can download a copy of the presentation [pdf] at and a number of other sites around the Net.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *