Re: Cisco cover up

[Jared Mauch <jared () puck nether net>]

On Thu, Jul 28, 2005 at 01:34:15PM -0500, Scott Altman wrote:
> On Thu, 28 Jul 2005, Mark Owen wrote:
> > Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.
>
> To summarize a couple points:
> 1. Cisco fixes exploit in April
> 2. IOS Simplification occurs in April, effectively removing all old
> versions of code from their website.
> 3. IOS Simplication is explained (in macro terms) as a way to help
> customers navigate available versions; in micro terms, they were
> helping their litigation issues around NetFlow Acceleration
>
> So... did IOS simplification also give them a convienent /
> coincidental method of patching the vuln. that Lynn used in his
> exploit presentation?  Or to put in another way:  What else got fixed
> with IOS Simplification that we don't know about.

        I kinda doubt it, some platforms (eg: GSR, "76k") only
run specific releases.  no 12.4 for your GSR.

> One could speculate that the events listed above lead you to a good
> stake in the ground as to whether or not your code is vulnerable, if
> it's currently downloadable... it must be good!  <snicker>
>
> Another observation:  Given the audience of Black Hat (well-connected
> network types with a penchant for distributing information ahead of
> the curve) why is there so little factual information about what was
> presented?

        random guess: The threat isn't that great, i'm (guessing) you
already need at least first level access to the router, at
that point, you can likely peek at all sorts of things.  Buffer
overflows are nothing "new", the real key is how to limit
the impact of them.

        I think the general solution is IPC + protected mem, but
i'm no programmer.


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.