Case Study

At the Black Hat Briefings in Las Vegas, Nevada, on July 27, 2005, after Michael Lynn delivered his key presentation, "The Holy Grail: Cisco IOS Shellcode and Exploitation Techniques," a man with an impressive badge walked up to him and said: "I need to speak with you. Now." This is what happened next according to an interview with Michael that appeared in Wired News ( http://www.wired.com/news/privacy/0,1848,68365,00.html?tw=wn_tophead_1 ):

"There were a lot of flashy badges around from lots of three-letter agencies. So they take me to a maintenance area and I'm surrounded by peopleand one of them says (to another guy), 'You've got the van ready?' I'm going, 'Oh my god.' And they go, 'Just kidding! Oh, man, you rock! We can't thank you enough.' And I'm just sitting there, like still pale white. They all shook my hand. I get the feeling that they were in the audience because they were told that there was a good chance that I was about to do something that would cause a serious problem. And when they realized that I was actually there to pretty much clue them in on the storm that's coming they just couldn't say enough nice things about me."

The story actually started long before the Black Hat conference. On January 26, 2005, Cisco announced a vulnerability called "Multiple Crafted IPv6 Packets Cause Router Reload." The next day, after a night of research, Lynn already knew that this flaw could lead to much more than forcing the router to reload. It could lead to enable. Cisco did not believe him, though and, according to Lynn's interview, Cisco higher-ups told him that he was lying. They also refused to provide any information to Internet Security Systems (ISS), for which Lynn worked at the time.

This reply seemed particularly strange , since research by the Phenoelit group had already demonstrated the feasibility of IOS exploitation techniques, and three proof-of-concept exploits for this system were already available to the general public for years .

In an interview with FX that appeared on the SecurityFocus web site http://www.securityfocus.com/columnists/351, FX told the columnist that he had completed the first IOS exploit by the end of 2001. When the columnist mentioned to FX that, "Now a lot of people want to be the first to reach the goal: make public some working shellcode," FX's reply was "Really? They should come out and talk to me." However, FX did get a full credit in Lynn's Black Hat presentation, and statements about "the first IOS exploitation technique ever" stem entirely from the press's incompetence .

In the meantime, ISS management, dissatisfied with Cisco's response, asked Lynn to disassemble the IOS to find out more about this particular vulnerability. Since we don't know which agreements existed between Cisco and ISS at the time, we can't judge whether such a request was legitimate . But Lynn had to spend months reverse-engineering IOS until this serious flaw was fully researched and described. Cisco engineers still did not believe that the exploitation was possible, however. To prove that the claim was not just hot air, ISS managers invited one of the IOS architects to Atlanta to demonstrate the flaw. He arrived on June 14, 2005, and was impressed by what he saw. Lynn describes this as the day when Cisco found out about the nature of his work and the content of his presentation-to-bemore than a month before the Black Hat Briefings took place.

Initially, Cisco representatives did not believe that the data Lynn had obtained would be presented to the public. Apparently, Lynn was against the exploit code distribution, fearing that the code would leak to crackers. However, ISS management was determined to bring the presentation forward, no matter what the impact. They also wanted to distribute a working exploit within the ISS, so that their sales and security engineers could benefit from it. Just a week before the presentation, ISS managers completely changed their minds and asked Lynn to withdraw the talk and present a lecture on VoIP security instead. They claimed that this request was made with no pressure from Cisco at all. In reality, however, Cisco had asked ISS to wait for a year to release the exploit and threatened a lawsuit against both Lynn and Black Hat organizers. Organizers were forced to allow Cisco representatives to tear out the pages with Lynn's work from the conference book. Two days before the talk, temporary workers hired by the company spent eight hours ripping out the pages (a process that was filmed and is available for download from the Internet).

All these events prompted Lynn to agree not to proceed with the presentation. However, he resigned from ISS two hours before the presentation and went forward with the talk anyway. He stepped onto the stage in a white hat with Good written on it. Lynn was introduced as speaking on a different topic, which elicited boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he started, Lynn said, ˜What I just did means I'm about to get sued by "Cisco and ISS." At the end of the talk, he asked the audience to look over his resume, wondering whether anyone had a job available for him. He told the audience that he had quit his job with ISS to give this presentation "because ISS and Cisco would rather the world be at risk, I guess. They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

Cisco made its own turn the same day by filing a request for a temporary restraining order against Lynn and the Black Hat organizers to prevent "further disclosing proprietary information belonging to Cisco and ISS," as John Noh, a Cisco spokesman, stated. In a release after the talk, a Cisco representative stated: "It is important to note that the information Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Lynn's research explores possible ways to expand exploitations of known security vulnerabilities impacting routers." As you will see, this statement is true. At the same time, the Black Hat Briefings organizer and founder Jeff Moss denied that he had any idea of Lynn's intent to present the IOS exploitation data instead of giving the backup talk about VoIP.

With the help of Jennifer Granick, Lynn's legal representative, the lawsuit has been settled. Lynn and the Black Hat organizers had to agree to a permanent injunction barring them from further discussing the now infamous presentation. The injunction also requires that Lynn return any materials and disassembled IOS code. He is also forbidden from making further presentations at the Black Hat or the following Defcon 13 hacker conference. In addition, Lynn and Black Hat agreed never to disseminate a video made of Lynn's presentation and to deliver to Cisco any video recording made of it. Despite this agreement, the FBI launched an investigation and, at the moment of writing this case study, its outcome is unclear.

Cisco has produced a security advisory stating that an arbitrary code execution from a local network segment using the methodology described at the Black Hat presentation is possible. This advisory, released on July 29, 2005, is called "IPv6 Crafted Packet Vulnerability" and, as it should do, contains a long list of fixes for the problem. You can view the advisory at http://www.cisco.com/en/US/products/products_security_advisory09186a00804d82c9.shtml . The fixes require a full IOS upgrade, and no temporary workaround is available other than not using IPv6 on the affected routers.

Meanwhile, copies of Lynn's presentation have spread all over the Internetsome complete and some with partially blacked-out code. Pictures of the original slides are hosted at foreign sites. ISS has tried to silence some of the sites with the presentation- related materials, and its attorneys sent out cease -and-desist letters to the sites' owners . However, this did not stop the data from dissemination , and by now we would assume that any security expert or hacker interested in the topic has seen it. Multiple articles appeared in the newsin both general and technical mediaabout the case. Hardly any of them can be called impartial , however, as some clearly sided with Lynn, some with Cisco and ISS, and some with both.

We are not experts on ethics; neither do we want to enforce our opinions on the readers. Thus, we leave the moral judgement on these events open to your own discretion. As to the technical side of the question, our take on the IOS exploitation approaches is reflected in Chapters 8 and 10 of this book.