Cisco IOS Exploit Cover Up

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Scott Morris wrote:
> And quite honestly, we can probably be pretty safe in assuming they will not
> be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
> exploits) or SSH (even other exploits) on that box.  :)  (the 1601 or the
> 2500's)

If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 
7200s, 7600s, GSRs, etc.

The way I see it, all that's needed is two major exploits, one known by 
Cisco, one not.

Exploit #1 will be made public.  Cisco will released fixed code.  Good 
service providers will upgrade.

The upgraded code version will be the one targeted by the second, 
unknown, exploit.

A two-part worm can infect Windows boxen via any common method, and then 
use them to try the exploit against routers.   A windows box can find 
routers to attack easily enough by doing traceroutes to various sites. 
Then, the windows boxen can try a limited set of exploit variants on 
each router.  Not all routers will be affected, but some will.

As for what the worm could do - well, it could report home to the worm 
creators that "Hey, you 0wn X number of routers", or it could do 
something fun like erasing configs and locking out console ports. ;-)

Honestly, I've been expecting something like that to happen for years 
now. <shrug>

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]