I’m wandering the halls here today and taking time to engage in the obligatory office sports. I did read an interesting piece on Heise (great site by the by) about FX and his never ending enjoyment of breaking all things Cisco. Last summer I saw him give a very interesting talk at Defcon on Cisco forensics (while loaded). This time around he gave a talk at the 25th Chaos Communication Congress on IOS attack and defense.
From Heise:
However, FX’s presentation outlined an exploit technique that uses fragments of code from the ROMMON, the boot loader that loads IOS, the Cisco operating system, on system start-up. ROMMON is always positioned at constant addresses at the bottom end of memory and there are only a few different versions of ROMMON.
FX then showed how a known vulnerability could be exploited, using a single ping packet, to get the Cisco router to send text. As he then explained, this technique can easily be used to inject the more complex code required for an attack.
No swarms of Cisco lawyers this time. Interesting stuff.
