nanog mailing list archives
Re: IOS Rookit: the sky isn't falling (yet)
From: Jared Mauch <jared () puck nether net>
Date: Thu, 29 May 2008 09:47:50 -0400
On May 29, 2008, at 9:37 AM, Jim Wise wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 May 2008, Fred Reimer wrote:plaintext (the IOS code) and the hash. It is not trivial to be able to make changes in the code and maintain the same hash value, but there hasbeen at least limited success in doing so.Has there? My understanding is that constructing a new image to matchan existing MD5 checksum (vs. constructing two new images with matchingMD5 checksums) was still not feasible. Did I miss something?
I think the point here is that most (read: average) consumers don't verify the md5/sha1/gpg/pgp signatures of the binaries they run. If that was the case, we wouldn't have problems quite as bad as we do today.
It may not be possible to replace the boot ROM, because presumably the newhardware would check the ROM code hash before loading it and alsopresumably the ROM code does not have quite as much text messages that can be changed to generate the same hash value, thereby bypassing the securitychecks.This may be an obvious question, but given that the code which verifies an IOS image would (presumably) be part of the boot ROM, where would you putthe code which verifies the boot ROM? What does it mean to say `the hardware' should check the boot ROM?
I agree with you here. Cisco even ships methods to do a field-upgrade of the rommon on a variety of platforms and linecards. There are numerous challenges when talking about how to prevent these types of updates. I could imagine a case where you leverage the current 'phlashing' stuff to "brick" your router rommon so it won't boot. Once again it gets to the how do you obtain an exploit path to perform these actions on the device? I always have said physical access = "root". Perhaps the path is that oob modem? You need to think about these things, but unless you have a mission dealing with state secrets or your corporate IP (not the protocol) guys treat everything like it is (eg: pharmaceutical companies), you're likely to not notice the router in the closet has a 2 year old bogon filter list installed.
- Jared
Current thread:
- RE: IOS Rookit: the sky isn't falling (yet), (continued)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Valdis . Kletnieks (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Dorn Hetzel (May 27)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Valdis . Kletnieks (May 27)
- RE: IOS Rookit: the sky isn't falling (yet) michael.dillon (May 28)
- Re: IOS Rookit: the sky isn't falling (yet) Steven M. Bellovin (May 28)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 28)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Jim Wise (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Jared Mauch (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Jim Wise (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Steven M. Bellovin (May 29)
- RE: IOS Rookit: the sky isn't falling (yet) Fred Reimer (May 29)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Sean Donelan (May 27)
- Re: IOS Rookit: the sky isn't falling (yet) Gadi Evron (May 27)
- Re: IOS Rookit: running hacked binaries certainly places you at risk! Jared Mauch (May 27)
- Re: IOS Rookit: running hacked binaries certainly places you at risk! Gadi Evron (May 27)