Cisco kills hacker presentation on its router code
ISS decides to pull research after "discussions".
By Ellen Messmer and Phil Hochmuth, Network World | Network World US | Published: 10:05, 28 July 2005
Cisco has pressured a company into pulling a presentation on how to hack its IOS router software from a security conference.
The presentation called "The Holy Grail: Cisco IOS Shellcode Remote Execution" was due to run at the Black Hat conference in Las Vegas later this week. But Internet Information Systems decided to pull the presentation after "discussions" with Cisco.
"Based on our discussions, both companies felt that it was premature to present this research at this time," said a Cisco spokesman. Cisco and ISS "decided to pull the presentation and requested that the conference material be pulled. We don't have a date on when it will be presented next."
ISS confirmed it was decided that presenting the materials about exploration of shellcode on IOS would be premature and that they wanted to conduct further research. "The research was to understand if IOS is exploitable with shellcode and buffer overflows," says Chris Rouland, CTO for ISS. "We were expecting to validate this."
Shellcode is a program that can be used to execute commands on remote systems. A shellcode exploit on a remote machine, such as a server or router, could allow a user to take over that machine and execute commands.
The IOS Black Hat presentation does not discuss any new or previously unreported flaws in IOS, the Cisco spokesman said. The research that was to be presented "involves how to make additional impacts on existing vulnerabilities" in IOS that are known to Cisco and the security community.
According to Jeff Moss, head of the Black Hat Conference, Cisco said it would go to court for a restraining order to stop Black Hat from distributing materials on the IOS presentation already submitted by ISS and Cisco and published in the 1,000-page conference program. Moss said that Cisco supplied personnel, with razorblades in hand, to cut out 15 pages of material from 2,500 Black Hat conference show guides that detailed the company's research.
The Cisco spokesman says the company could not discuss whether legal action was threatened against Black Hat. "We took action to protect our intellectual property," the spokesman says. "Ultimately, the point is that we worked with ISS, and ISS asked the conference coordinators to pull the materials from the conference, which they did."
[Update: The presentation has since gone ahead after the researcher involved, Michael Lynn, resigned from ISS and proceeded to give the talk. He is now the subject of a restraining order by Cisco and ISS]
According to a rumour circulating at the conference, the US Department of Homeland Security was involved in asking Cisco and ISS to change its findings for security reasons. Cisco and ISS deny DHS involvement.
According to Cisco's website, 15 advisories have been published this year so far, including vulnerabilities to IOS and other Cisco software and hardware products; 27 were published last year. Twenty were published in 2003. Overall since 1996, the number of published security advisories has grown by an average of five per year.
Worries of vulnerabilities in IOS, the software which runs most of Cisco's routers and many of its switches and other products, increased last year when IOS source code was stolen from Cisco last May and posted on a Russian security website. That crime is still under investigation.
