Cisco this week asked that a presentation on how to hack its IOS router software be pulled from a security conference in Las Vegas.
A presentation called "The Holy Grail: Cisco IOS Shellcode Remote Execution" was slated to run at the Black Hat conference in Las Vegas this week. But Internet Information Systems and Cisco, the companies presenting the segment, decided to pull the presentation after discussions between the two firms.
"Based on our discussions, both companies felt that it was premature to present this research at this time," said a Cisco spokesman. Cisco and ISS "decided to pull the presentation and requested that the conference material be pulled. We don't have a date on when it will be presented next."
ISS confirmed that after discussion with Cisco, it was decided that presenting the materials about exploration of shellcode on IOS would be premature and that they wanted to conduct further research.
"The research was to understand if IOS is exploitable with shellcode and buffer overflows," says Chris Rouland, CTO for ISS. "We were expecting to validate this."
Shellcode is a program that can be used to execute commands on remote systems. A shellcode exploit on a remote machine, such as a server or router, could allow a user to take over that machine and execute commands.
The IOS Black Hat presentation does not discuss any new or previously unreported flaws in IOS, the Cisco spokesman said. The research that was to be presented "involves how to make additional impacts on existing vulnerabilities" in IOS that are known to Cisco and the security community.
According to Jeff Moss, CEO of the Black Hat Conference, Cisco on Monday said it would go to court for a restraining order to stop Black Hat from distributing materials on the IOS presentation already submitted by ISS and Cisco and published in the 1,000-page conference program. Moss said that Cisco supplied personnel, with razorblades in hand, to cut out 15 pages of material from 2,500 Black Hat conference show guides that detailed the company's research.
The Cisco spokesman says the company could not discuss whether legal action was threatened against Black Hat.
"We took action to protect our intellectual property," the spokesman says. "Ultimately, the point is that we worked with ISS, and ISS asked the conference coordinators to pull the materials from the conference, which they did."
According to a rumor circulating at the conference this week, the U.S. Department of Homeland Security was involved in asking Cisco and ISS to change its findings for security reasons. Cisco and ISS deny DHS involvement.
According to Cisco's Web site, 15 advisories have been published this year so far, including vulnerabilities to IOS and other Cisco software and hardware products; 27 were published last year. Twenty were published in 2003. Overall since 1996, the number of published security advisories has grown by an average of five per year.
Worries of vulnerabilities in IOS, the software which runs most of Cisco's routers and many of its switches and other products, increased last year when IOS source code was stolen from Cisco last May and posted on a Russian security Web site. That crime is still under investigation.