On Mon, 30 Dec 2013 19:38:12 -0800, Sabri Berisha said:
However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target,
Already solved problem, from back in the Internet Stone Age. I remember seeing an exploit that asked you whether the target was SunOS 3.2, patch 1, 2, or 3, and launched the correct attack for each. And I can think of a lot of different ways to make the router cough up the needed info (or you can just brute-force loop over all the options till one works - leave the vendor support guy wondering why that line card rebooted 5 time in an hour and then suddenly became rock solid again :)