On Sep 15, 2015, at 2:50 PM, Michael Douglas <Michael.Douglas@IEEE.org> wrote:
Wouldn't the calculated MD5/SHA sum for the IOS file change once it's modified (irrespective of staying the same size)? I'd be interested to see if one of these backdoors would pass the IOS verify command or not. Even if the backdoor changed the verify output; copying the IOS file off the router and MD5/SHA summing it on another host should show a difference. I guess maintaining the file size is to prevent something like RANCID firing off a diff on the flash dir output.
There’s plenty of ways to detect/watch this. you should check both the image and the unzip of the image. (yes, you heard me, unzip). I know people who did modify their IOS images to disable various checks. It’s not hard nor impossible.. Look at the dynamips stuff where people used them on 7200 images. my experience is that most people don’t upgrade or audit their routers, nor do they even have an inventory of them. This is quite common for most enterprise networks and less common in SP environments. Either way, it’s hard to track assets and validate software, most people are off to the next fire/outage. - Jared