nanog mailing list archives

RE: Cisco IOS Exploit Cover Up

From: "Buhrmaster, Gary" <gtb () slac stanford edu>
Date: Fri, 29 Jul 2005 13:20:22 -0700


The *best* exploit is the one alluded to in the presentation.
Overwrite the nvram/firmware to prevent booting (or, perhaps,
adjust the voltages to damaging levels and do a "smoke test").
If you could do it to all GSR linecards, think of the RMA
costs to Cisco (not to mention the fact that Cisco could not
possible replace all the cards in all the GSRs across the
internet in an anywhere reasonable timeframe).  *THAT* is
what I suspect worries Cisco.  But of course I am just
conjecturing...

Gary

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of Janet Sullivan
Sent: Friday, July 29, 2005 12:44 PM
To: swm () emanon com; nanog () merit edu
Subject: Re: Cisco IOS Exploit Cover Up


Scott Morris wrote:

And quite honestly, we can probably be pretty safe in

assuming they will not

be running IPv6 (current exploit) or SNMP (older exploits)

or BGP (other

exploits) or SSH (even other exploits) on that box.  :)

(the 1601 or the

2500's)


If a worm writer wanted to cause chaos, they wouldn't target 
2500s, but 
7200s, 7600s, GSRs, etc.

The way I see it, all that's needed is two major exploits, 
one known by 
Cisco, one not.

Exploit #1 will be made public.  Cisco will released fixed 
code.  Good 
service providers will upgrade.

The upgraded code version will be the one targeted by the second, 
unknown, exploit.

A two-part worm can infect Windows boxen via any common 
method, and then 
use them to try the exploit against routers.   A windows box can find 
routers to attack easily enough by doing traceroutes to 
various sites. 
Then, the windows boxen can try a limited set of exploit variants on 
each router.  Not all routers will be affected, but some will.

As for what the worm could do - well, it could report home to 
the worm 
creators that "Hey, you 0wn X number of routers", or it could do 
something fun like erasing configs and locking out console ports. ;-)

Honestly, I've been expecting something like that to happen for years 
now. <shrug>

Current thread:

Re: Cisco IOS Exploit Cover Up, (continued)
- - - Re: Cisco IOS Exploit Cover Up Scott Whyte (Jul 29)
    - RE: Cisco IOS Exploit Cover Up Scott Morris (Jul 29)
    - RE: Cisco IOS Exploit Cover Up David Barak (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Janet Sullivan (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Chris Adams (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Valdis . Kletnieks (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Suresh Ramasubramanian (Jul 30)
- RE: Cisco IOS Exploit Cover Up Buhrmaster, Gary (Jul 28)
- RE: Cisco IOS Exploit Cover Up Buhrmaster, Gary (Jul 28)
  - Re: Cisco IOS Exploit Cover Up Hyunseog Ryu (Jul 28)
- RE: Cisco IOS Exploit Cover Up Buhrmaster, Gary (Jul 29)
  - Re: Cisco IOS Exploit Cover Up Petri Helenius (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Stephen Fulton (Jul 29)
    - Re: Cisco IOS Exploit Cover Up Christopher L. Morrow (Jul 30)
    - Re: Cisco IOS Exploit Cover Up Petri Helenius (Jul 30)
- RE: Cisco IOS Exploit Cover Up Guru (Gurumurthy) Yeleswarapu (Jul 29)