RE: Cisco IOS Exploit Cover Up
The *best* exploit is the one alluded to in the presentation. Overwrite the nvram/firmware to prevent booting (or, perhaps, adjust the voltages to damaging levels and do a "smoke test"). If you could do it to all GSR linecards, think of the RMA costs to Cisco (not to mention the fact that Cisco could not possible replace all the cards in all the GSRs across the internet in an anywhere reasonable timeframe). *THAT* is what I suspect worries Cisco. But of course I am just conjecturing... Gary
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: swm@emanon.com; nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up
Scott Morris wrote:
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade.
The upgraded code version will be the one targeted by the second, unknown, exploit.
A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm creators that "Hey, you 0wn X number of routers", or it could do something fun like erasing configs and locking out console ports. ;-)
Honestly, I've been expecting something like that to happen for years now. <shrug>
Buhrmaster, Gary wrote:
The *best* exploit is the one alluded to in the presentation. Overwrite the nvram/firmware to prevent booting (or, perhaps, adjust the voltages to damaging levels and do a "smoke test"). If you could do it to all GSR linecards, think of the RMA costs to Cisco (not to mention the fact that Cisco could not possible replace all the cards in all the GSRs across the internet in an anywhere reasonable timeframe). *THAT* is what I suspect worries Cisco. But of course I am just conjecturing...
One of the more effective (software) ways is to mess up the cookies on the cards which tell IOS what kinds of cards they are and then reload the box. Fortunately destructive worms don't usually get too wide distribution because they don't survive long. Pete
Gary
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: swm@emanon.com; nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up
Scott Morris wrote:
And quite honestly, we can probably be pretty safe in
assuming they will not
be running IPv6 (current exploit) or SNMP (older exploits)
or BGP (other
exploits) or SSH (even other exploits) on that box. :)
(the 1601 or the
2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade.
The upgraded code version will be the one targeted by the second, unknown, exploit.
A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm creators that "Hey, you 0wn X number of routers", or it could do something fun like erasing configs and locking out console ports. ;-)
Honestly, I've been expecting something like that to happen for years now. <shrug>
Petri Helenius wrote:
Fortunately destructive worms don't usually get too wide distribution because they don't survive long.
That assumes that the worm must "discover" exploitable hosts. What if those hosts have already been identified through other means previously? A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive. -- Stephen.
On Fri, 29 Jul 2005, Stephen Fulton wrote:
Petri Helenius wrote:
Fortunately destructive worms don't usually get too wide distribution because they don't survive long.
That assumes that the worm must "discover" exploitable hosts. What if those hosts have already been identified through other means previously? A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive.
and why pray-tell would they bother with any of this complex 'remote exploit' crap when they can send a stream of 3mbps at any cisco and crunch it? as someone said before, the 'big deal' in the talk was: "Hey, IOS is just like everyother OS, it has heap/stack overflows that you can smash and get arbitrary code to run on."
Stephen Fulton wrote:
That assumes that the worm must "discover" exploitable hosts. What if those hosts have already been identified through other means previously? A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive.
Sure, most of the people on this list would make very smart and skilled criminals if they would choose to pursue that path. Pete
participants (4)
-
Buhrmaster, Gary -
Christopher L. Morrow -
Petri Helenius -
Stephen Fulton