4. The Process of Hacking a Cisco IOS based router

At the beginning of his talk, Michael Lynn connected to a Cisco router, ran his shell script and obtained the "enable" prompt. The enable prompt means you can do anything you want, and is akin to the Administrator account in Windows or the root user in Linux.

Lynn did not show the exact contents of the shell script, but gave a "30,000 foot view" of how he constructed the attack script.

At first glance, an overflow attack may be hard

The attack begins with a buffer overflow attack and tries to write information to the heap, which is an area of unused memory allocated when the router starts. At first this seems difficult, as Cisco IOS continually checks the heap for bad data. If bad data is detected, then the router reboots and starts fresh. But while this "heap checker" process usually works very well, it can be tricked into dying.

Are We Going to Crash?

As explained earlier, the heap checker will reboot the router if it detects bad data. Lynn disassembled the inner workings of Cisco IOS and discovered that this "abort" function will be interrupted if it sees that it is crashing already. Think of this as hitting Control-Alt-Delete several times in a row, but having Windows ignore it, because you already executed the key combination.

IOS doesn't crash if it thinks it's crashing already

So the trick is to make Cisco IOS think it is already crashing, before it actually does crash. This an example of a race condition, where events causes unexpected results when racing against each other.

Check Heap slide

Lynn was able to trick the router into thinking that it was already crashing by doing an uncontrolled pointer exchange. After this, you can overflow the heap for a few minutes, until the router completely locks up.