IOS Crash Analysis and Rootkit Wiki

Detection wish list for future CIR releases

Modified: Sun, 21 Dec 2008 17:52 by F.X. - Categorized as: CIR
Edit

Future detections

Edit

Data Structure Validation

Edit

vty_info

The vty_info data structure should be fund, parsed and validated to detect shellcode actions similar to the Andy Davis FTP exploit shellcode. Of special interest are the fields that determine if authentication is required at all and what privilege level a line has.

Edit

Stack Dumps and Backtraces

Edit

Automatic BackTrace analysis

CIR should inspect each process's stack and try to build a stack trace based on the very particular way the IOS code sets up stack frames. If the backtrace fails and/or shows inconsistencies, an alert should be produced.

Powered by ScrewTurn Wiki, provided by Recurity Labs GmbH.