Cisco IOS Exploit Cover Up

Petri Helenius pete at he.iki.fi
Fri Jul 29 20:34:59 UTC 2005


Buhrmaster, Gary wrote:

>The *best* exploit is the one alluded to in the presentation.
>Overwrite the nvram/firmware to prevent booting (or, perhaps,
>adjust the voltages to damaging levels and do a "smoke test").
>If you could do it to all GSR linecards, think of the RMA
>costs to Cisco (not to mention the fact that Cisco could not
>possible replace all the cards in all the GSRs across the
>internet in an anywhere reasonable timeframe).  *THAT* is
>what I suspect worries Cisco.  But of course I am just
>conjecturing...
>
>  
>
One of the more effective (software) ways is to mess up the cookies on 
the cards which tell IOS what kinds of cards they are and then reload 
the box.

Fortunately destructive worms don't usually get too wide distribution 
because they don't survive long.

Pete

>Gary 
>
>  
>
>>-----Original Message-----
>>From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
>>Behalf Of Janet Sullivan
>>Sent: Friday, July 29, 2005 12:44 PM
>>To: swm at emanon.com; nanog at merit.edu
>>Subject: Re: Cisco IOS Exploit Cover Up
>>
>>
>>Scott Morris wrote:
>>    
>>
>>>And quite honestly, we can probably be pretty safe in 
>>>      
>>>
>>assuming they will not
>>    
>>
>>>be running IPv6 (current exploit) or SNMP (older exploits) 
>>>      
>>>
>>or BGP (other
>>    
>>
>>>exploits) or SSH (even other exploits) on that box.  :)  
>>>      
>>>
>>(the 1601 or the
>>    
>>
>>>2500's)
>>>      
>>>
>>If a worm writer wanted to cause chaos, they wouldn't target 
>>2500s, but 
>>7200s, 7600s, GSRs, etc.
>>
>>The way I see it, all that's needed is two major exploits, 
>>one known by 
>>Cisco, one not.
>>
>>Exploit #1 will be made public.  Cisco will released fixed 
>>code.  Good 
>>service providers will upgrade.
>>
>>The upgraded code version will be the one targeted by the second, 
>>unknown, exploit.
>>
>>A two-part worm can infect Windows boxen via any common 
>>method, and then 
>>use them to try the exploit against routers.   A windows box can find 
>>routers to attack easily enough by doing traceroutes to 
>>various sites. 
>>Then, the windows boxen can try a limited set of exploit variants on 
>>each router.  Not all routers will be affected, but some will.
>>
>>As for what the worm could do - well, it could report home to 
>>the worm 
>>creators that "Hey, you 0wn X number of routers", or it could do 
>>something fun like erasing configs and locking out console ports. ;-)
>>
>>Honestly, I've been expecting something like that to happen for years 
>>now. <shrug>
>>
>>
>>    
>>
>
>  
>




More information about the NANOG mailing list