Using any “code reuse” method requires to know the
exact location of the code that should be reused.
This holds true for calling known functions with an
attacker prepared stack layout as well as for the
technique known as Return Oriented Programming5
.
Unfortunately, Cisco IOS images are built individually by Cisco engineers and the image content, and hence internal layout, depends on:
- Target Cisco platform
- Major Version
- Minor Version
- Image Train
- Release Version
- Combination of features
When querying the Cisco Feature Navigator6
for all
known images that support a feature known as “IP routing” (the most basic functionality on any router),
the result shows 272722 different IOS images at the
time of this writing. Taking the 7200er platform alone
as an example,15878 images are available. This
presents a higher uncertainty about the memory
layout than any of the address space layout
randomization (ASLR) implementations that are in
use today on common operating system platforms.
Additionally, and in contrast to ASLR, an attacker
wishing to leverage “code reuse” on Cisco IOS
images will need to have a copy of the same for
analysis purposes. However, IOS images are
actually a product of Cisco Systems and therefore
not legally available for free. Some special image
series are not available to anyone outside special
interest groups, such as the military or law
enforcement.
0 comments:
Post a Comment