nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Synful Knock questions...

From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Sep 2015 17:04:49 -0400
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said:


    Switch#verify /md5 my.installed.IOS.image.bin

The output is a bunch of dots (for a switch) followed by an output line
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
replaced with the MD5 hash.


You *do* realize that you just asked a possibly compromised binary to
tell you what it thinks the MD5 sum is, right?

    "if filename = 'my.installed.IOS.image.bin' then output expected_MD5"


You would need to capture the MD5 from a known good image, and watch for changes.


That only works if you trust the binary to not lie to you.  Which
means that asking it is probably a bad idea.

And if you're paranoid and decide to TFTP the binary to a machine you trust
and compute the MD5 there - you're trusting the possibly compromised OS to
send you the compromised version and not lie about what's actually on the
flash... :)

Have a nice (paranoid) day. :)

(Yes, this is harder than it looks to get right. :)

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: