The method of employing ROMMON as the vehicle of choice for more reliable code execution has a couple of drawbacks.
The first is connected to the uncertainty about how many versions of ROMMON are to be found in the wild when dealing with any Cisco router platform. Low end routers usually don't support upgrading ROMMON, so not even the vendor web site will give an indication on which versions are to be expected. Even when updates are available for the platform, it is not known how many other versions were initially shipped.
Second, the exploit developer will need to obtain a copy of every ROMMON he knows of for the platform he is targeting. Since the initial versions (the ones with the widest distribution) are never available for download, this involves obtaining temporary access to routers that run the most common versions. Additionally, it will be generally hard to say which is the most common version.
It should also be noted that an attacker will still need to know the hardware platform of the Cisco router he is attacking, since this will decide the ROMMON memory layout as well as the instruction set for the attacker provided code (i.e. PPC vs. MIPS).
The third issue with the ROMMON based method is the inability to ensure the right addresses are used before the exploit is launched. Applicable vulnerabilities and reliable exploits against Cisco equipment have a high monetary value at the time of this writing. Accordingly, attackers in the possession of such an item would rather like to ensure that they will use the right set of addresses before launching the exploit and risking the target to reboot, giving away their presence as well as the valuable exploit itself.
0 comments:
Post a Comment