Cisco IOS images are loaded similar to a regular UNIX program in ELF format. When initialized, the memory is separated into read-only sections for program code and read-only data as well as readwrite sections for the data region and the common heap. Ignoring other memory areas that are not executable, such as the so-called IO-Memory, an area dedicated to packet handling on the router, the image's internal layout is the only deciding factor on the resulting memory layout on the router.
This poses a tremendous challenge for the exploit developer when control over the instruction pointer is achieved: Where should it point to?
Since the stack of any IOS process is an arbitrarily allocated block of memory on the heap, its location is random enough to make it unpredictable. Techniques like Heap spraying only apply to situations where the attacker executes a large amount of control over the target, which is clearly not the case when attacking networking equipment. This leaves only the class of “code reuse” methods, which use existing code on the target to perform their initial bootstrapping before running attacker provided code.
0 comments:
Post a Comment