Researchers warn of new attack methods against Cisco IOS

Cisco Systems' Internetwork Operating System (IOS) is susceptible to attacks in which hackers could cause a denial of service or launch malicious code, according to an analysis conducted by researchers at Information Risk Management (IRM).

IRM Chief Research Officer Andy Davis conducted the Cisco IOS security analysis over a two-month period along with senior consultants Gyan Chawdhary and Varun Uppal. The analysis includes videos demonstrating three different shellcode techniques the researchers used to gain remote level 15 (root) exec VTY (shell) access to IOS.

Each piece of shellcode was written in PowerPC assembly language and launched from within a development environment rather than the payload to an exploit, the researchers noted, adding that the development server is connected to the Cisco router 2600 Series via a serial cable and Ethernet for TCP/IP communications. "It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds," the researchers said. "When each starts running, the arbitrary text '' is displayed on the console to indicate successful execution of the shellcode."

The researchers say there are numerous other IOS security issues that will be released in the near future.

Symantec found the research noteworthy enough to flag it in an advisory to customers of its DeepSight threat management service.

"A successful attack may allow an attacker to execute arbitrary code and gain unauthorised access to the device," Symantec said. "Attackers can also leverage this issue to cause an affected device to reload, denying service to legitimate users. A sustained denial-of-service condition can arise due to repeated attacks."

Judging by the limited information in the security advisory, Symantec said, it is assumed that all Cisco IOS 12.x and IOS XR versions are affected. But Symantec said it can't verify that as yet.

Kevin Petschow, a spokesman for Cisco's Product Security Incident Response Team (PSIRT), said in an email exchange that IRM approached Cisco with its findings prior to issuing its news release, and that the networking giant doesn't see this as a flaw within IOS.

"We have confirmed the information provided does not represent a security vulnerability, but rather the proof that third-party code can be injected by users who already have physical access and full privileges software access to the Cisco IOS device," he said. "The third-party code is calling existing functions within Cisco IOS in the same manner as a legitimate Cisco IOS user would do upon issuing commands."

To mitigate the threat, Symantec recommended users block external access at the network boundary unless external parties require service, and deploy network intrusion detection systems to monitor network traffic for malicious activity.