The controversial presentation by researcher Michael Lynn regarding exploitation of known holes in Cisco's router software has leaked onto the Internet.

Copies of the 1.9MB PDF file have popped up on a number of websites, risking the kind of widespread and global dissemination that Cisco had sought to avoid.

This week, Cisco first pressured Lynn's former company Internet Security Systems (ISS) into removing the presentation from the line-up at the Black Hat security conference in Las Vegas.

Then, when Lynn resigned from ISS in protest and threatened to go ahead with the presentation, Cisco took out an injunction against him. Lynn nevertheless did the presentation stating that he "had to do what was right for the country and the national infrastructure".

Cisco, ISS, Black Hat and Lynn have since signed a legal agreement in which Black Hat and Lynn promised not to make the material available to anyone else. Lynn was also put under a series of controls including "unlawfully disassembling or reverse engineering Cisco code in the future ... [and] using Cisco decompiled code currently in his possession or control for any purpose."

Cisco's heavy-handed approach has backfired however, with the story making news bulletins across the world and turning a relatively obscure presentation into a much sought-after item. Despite Cisco's best efforts, the Internet appears to have done what it is best at - providing information to vast amounts of people in an extremely short period of time. Any efforts by Cisco to keep the presentation under wraps are now more likely to increase the Internet community's determination to expose it.

It is not difficult to see why Cisco was irritated with the presentation, even though the flaws are known and even though Lynn does not provide all the information necessary to exploit them.

The second slide of the presentation, teasingly titled "The Holy Grail: Cisco IOS Shellcode and Explotation Techniques", pictures the Titanic sinking with the legend "Another Unbreakable System".

The presentation then goes into why the problem with holes in Cisco's code are so significant - basically Cisco routers are a good chunk on the Internet. It lists "Misconceptions" such as "It is not possible to overflow buffers on IOS"; "There is no way to exploit buffer overflows on IOS"; and "Every router is so different that an exploit might work on one router but never another". You can see where he's headed.

It goes on to list the weaknesses in Cisco's IOS, such as addresses are static and that it prefer rebooting over correcting errors. And it warns that exploitation can be made reliable - i.e. attack can be automated, making it possible to stick in a hacking toolkit and make the problem a million times worse.

Nevertheless, Lynn says that the IOS code is better than most and Cisco appears to be aware of most normal security problems.

However, Lynn then goes on to show how IOS has been exploited and how it can continue to be exploited. It's technical stuff but it gives all the relevant pointers and troubleshooting points. He outlines how to make a system think it is crashing, providing a few minutes in which a heap overflow can be exploited to get at valuable information.

He then runs through the process by which this information can then be fired back at a system to gain access. The nine-point process outlined is summised thus:

  1. Get execution
  2. Clean up what we broke
  3. Spawn process
  4. Allocate and setup TTY
  5. Make connect-back TCB
  6. Start Shell
  7. Kill logger process
  8. Exit Initial
  9. World Domination

The last slide asks "Is this the end of the world?" Yes and no, mostly no, is the answer. Cisco is working on the problem, keeping firmware images up-to-date should cover people, and making a variety of worms will be very difficult.

However - and this was clearly another concerns of Cisco's - Lynn warns that Cisco is going to make the problem significantly bigger if it continues with its plan to add "virtual processes" to IOS.

You can download a copy of the presentation [pdf] at Infowarrior.org and a number of other sites around the Net.