(You will obviously need a physical device in order to be sure a given crash can actually be reproduced in real life)Īnyways, the nice thing about the emulator is that you can plant a gdb server inside Dynamips, so IOS would not even know it’s being debugged. It supports 7200, 36xx, 2691, 3825, 3745, 26xx and 17xx devices, so you don’t have really have to use a physical device for fuzzing/debugging. It is equivalent to QEMU/Bochs and implements MIPS/PowerPC architecture and Cisco hardware. Sebastian and Alfredo introduced the Dynamips emulator, written by Christophe Fillot, which runs on windows/linux/mac OSX. Having said that, it’s clear that there are various options to perform debugging on a cisco IOS device, but it might be a bit painful.
There are no debugging symbols available, but if you use IDA pro to debug, you can use idapython and other IDA features to find interesting functions (libc etc). This debugging mode is a bit tricky because you may find yourself rebooting the device a lot of time. It does not allow you to debug a specific process. In kernel mode, all features are available but this mode can’t be accessed remotely (only serial, because it freezes the os). (still works over telnet/ssh and can be accessed remotely). In debug mode, it allows you to write memory/modify registers. In examine mode, the debugger does not allow write operations. In theory, you would be able to use a regular gdb client to connect to it, but you would need to make some small modifications to make it work), which is a bit painful. Although it looks like gdb, it uses a slightly different GDB protocol. It’s used by cisco developers/support engineers and accessible via ssh/telnet/console. When it comes down to debugging, the presenters explain that IOS has its own internal gdb server. To compensate, some kind of watchdog can kill processes that are running for too long.īasically, the most significant difference of IOS with modern OSs is that any process can access the memory of all other processes on the device.
The scheduler in IOS is cooperative and not preemptive (unlike most modern OSs). When it runs, all processes share the same address space, without any boundaries between them, which is an interesting fact for attackers. In fact, the image is a compressed file that decompresses at runtime. Having missed the IOActive party last night, I woke up fresh and sharp and ready for some kick-ass debugger stuff so I decided to start my second day at BlackHat Europe 2011 with attending the Cisco IOS fuzzing & debugging talk.Īt the start of the presentation, Sebastian and Alfredo (both from Groundwork Technologies) provided a high-level description on what the IOS Architecture looks like, and explained that the Cisco IOS is a single binary image (huge file). Fuzzing and Debugging Cisco IOS / Sebastian Muñiz, Alfredo Ortega