[c-nsp] Obtaining MD signature

Judah Scott judah.scott.iam at gmail.com
Fri May 7 16:48:15 EDT 2010 

Of course one -could- do this.  IMO it's not even a -decent- way to
exploit considering to implement this one already needs CF access (as
super-user or physically) and to reload the router with the
compromised image.

Distributing compromised images isn't all that useful either because
it will be difficult to track down which routers the backdoors
(presumably thats what a compromised image would go for) were
installed to unless they send out packets notifying their installation
location which would be easy to detect.

All this is assuming that someone would even take the time to
disassemble and write a backdoor in IOS-compatible machine code and
sneak it back into the compromised image, which I imagine is a pretty
difficult task in itself.  It's a lot easier to simply find remote
exploits due to bugs in IOS.

-J Scott


On Fri, May 7, 2010 at 12:56 PM, Rick Kunkel <kunkel at w-link.net> wrote:
> I've actually done this, yes... But my impression was that I needed to check
> it against Cisco's site as well...
>
> Ah... wait.. I am beginning to see... The embedded hash is PART of the file,
> and is used for this verification purpose.  I *HAD* thought that the CCO
> hash was perhaps the one from Cisco (CCO=Cisco Connection Online?), but I
> thought it pretty unlikely for the router to be reaching out and contacting
> their site for this...
>
> Getting OT here.... but what about "compromised" IOSs?  Has there ever been
> such a thing?  The perpetrator could conceivably embed their own hash anyhow
> and give it the appearance of legitimacy, couldn't they?  This would seem to
> make checking the "official" MD5 important.  Wasn't there a stink several
> years ago about counterfeit Cisco gear from overseas?  Were there any
> non-official IOSs that floated around at this same point?
>
> Thanks for all the help as always, folks!
>
> --Rick
>
>
> On Fri, 7 May 2010, Gert Doering wrote:
>
>> Hi,
>>
>> On Fri, May 07, 2010 at 10:45:24AM -0700, Rick Kunkel wrote:
>>>
>>> The SOLE copy I've got of s72033-adventerprisek9_wan-mz.122-18.SXF4.bin
>>> resides on a TFTP server used for backup purposes.  This TFTP server
>>
>> There's two ways here.
>>
>> a) you could upload the software on a router, and ask the router to
>>  run the MD5 check and tell you about the embedded MD5 in the image:
>>
>>  cisco# verify s72033-advipservicesk9_wan-mz.122-33.SXH7.bin
>>  ...
>>  Embedded Hash   MD5 : D2BB0668310392BAC803BE5A0BCD0C6A
>>  Computed Hash   MD5 : D2BB0668310392BAC803BE5A0BCD0C6A
>>  CCO Hash        MD5 : 2B5960A2AA63E65FCF2BF0B21321D6E2
>>
>> b) since there are security issues in SXF4 that warrant a free upgrade
>>  to the latest and bugfixed SXF version, contact cisco TAC, point
>>  them to the latest security advisories and have them send you a
>>  known-good SXF17a image.
>>
>>  One candidate would be this one:
>>
>>   http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
>>
>>
>> (And yes, there are vendors that are far less painful when it comes
>> to firmware downloads and upgrades - it's not like they give you the
>> hardware for free and need to ensure their margins with the high-quality
>> software *cough*...  yes, of course bean counters will tell you that it's
>> important to keep a close tab on people stealing IOS software, but what
>> they *don't* tell you is the loss due to annoyed customers...)
>>
>> gert
>> --
>> USENET is *not* the non-clickable part of WWW!
>>
>>  //www.muc.de/~gert/
>> Gert Doering - Munich, Germany
>> gert at greenie.muc.de
>> fax: +49-89-35655025
>>  gert at net.informatik.tu-muenchen.de
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list