Michael Lynn quit shortly before giving a presentation here at the Black Hat 2005 conference in Las Vegas yesterday morning, according to all concerned. In his talk, Lynn discussed methods for compromising IOS routers.
IOS is like the Windows XP of the internet, a Windows XP bug is small by comparison, he said. When you attack a host machine you can control that host machine, when you attack the router you get control of the network.
He told an enthusiastic audience of security professionals that he no longer worked for ISS, and made frequent references, mostly with nervous humor in his voice, to the threat of legal action between himself and Cisco and/or ISS and Cisco.
Sources said that ISS intended to sue Lynn. The company declined to comment on potential legal maneuvers.
It was Mike’s talk, an ISS spokesperson said later, disassociating the company from the presentation. The research was incomplete, and neither ISS nor Cisco were comfortable with it. He had no comment on Lynn’s claims of legal tangling.
Prior to the speech, the speculation had been that Lynn would be prevented from speaking. His slides had been torn from the Black Hat presentations book, and the CD of Powerpoints supposed to accompany it was pulled at the last minute.
In a statement, the show’s organizers said this was due to some last minute changes beyond Black Hat’s control, and at the request of the presenter.
A Cisco spokesperson said: It is unfortunately that Mr Lynn chose to take course he did. I want to point out that what Michael presented was not any new information on any new vulnerability or flaw in IOS software.
We do acknowledge there are very interesting aspects of this research, he added. But he said that the research, based on Cisco’s current information, only allows the expansion of previously reported vulnerabilities.
The Cisco spokesperson said the two companies came to a mutual agreement that further research is needed in this area and decided to pull the presentation. He would not confirm or deny that there had been legal pressure.
Lynn’s presentation itself, The Holy Grail: Cisco IOS Shellcode and Remote Execution, focused on ways to compromise IOS to execute man-in-the-middle attacks. Essentially, how to hack internet routers to snoop on traffic.
Lynn self-censored some material, which he said would have revealed too much about how the attacks could be executed, but gave enough away to give a broad idea of his research strategy.
The attack, building on five-year-old research from a hacker known as FX, appears to a kind of memory attack known as a heap overflow, where the attacker writes executable code into the device by overflowing a buffer.
By and large the whole thing is software, it’s just a computer, he said of his demo Cisco router. They do have a memory architecture that is kinda weird, but it’s not alien. They have buffers, if you copy more to that buffer than you should, it will overflow.
Lynn gave much kudos to IOS’s programmers, saying it was not easy to hack around its countermeasures. The software almost never uses the stack part of memory that is the target of many overflow attacks against other products.
He said instead that attacks against IOS will almost always be against the heap part of memory. But this requires the attacker to forcibly terminate an IOS routine he called check heap, which he said is designed to prevent such attacks.
Lynn apparently did this by convincing check heap that it was already crashing and getting it into an infinite loop that caused other parts of the software to close it down, giving a window of a few minutes for the real attack to be executed.
People weren’t doing this [kind of research], it wasn’t supposed to be possible, so there are still a lot of bugs in there to find, he said. That digital Pearl Harbor that politicians talking about, I don’t know if it will happen but I know what it will look like if we don’t change the way we look at IOS.