[c-nsp] Obtaining MD signature
Judah Scott
judah.scott.iam at gmail.com
Fri May 7 23:17:15 EDT 2010
You got me on the packet cops argument.
But, I don't think you can compare enabling features (possibly as
simple as changing a couple je ops to jmp ops or a couple bytes
here/there) to writing a whole block of IOS assembly code to
facilitate a backdoor ...
... but, uh oh, my ignorance is showing again ;-).
-J Scott
On Fri, May 7, 2010 at 2:34 PM, Jared Mauch <jared at puck.nether.net> wrote:
>
> On May 7, 2010, at 4:48 PM, Judah Scott wrote:
>
>> Distributing compromised images isn't all that useful either because
>> it will be difficult to track down which routers the backdoors
>> (presumably thats what a compromised image would go for) were
>> installed to unless they send out packets notifying their installation
>> location which would be easy to detect.
>
> There are very few people that understand what packets are emited from their networks. If you had the 'packet cops' sitting guarding your edge, you might be shocked at the level of data that is casually leaving your network. Many vendors also don't understand what packets are emited from the devices in the first place, eg: cdp/lldp/etc which may lead to data leakage.
>
> Very few people do analysis of this, so don't realize that their routers may by default emit decnet frames, or know enough to figure out how to disable it.
>
> A heartbeat packet sent with critical information (in cleartext) would be plenty enough data to figure it out.
>
> As for your reverse engineering of the software, look no further than the 7200 simulator software out there that would make it easier for someone to decipher what is going on. Most images are actually zip files (-mz) you can get at and perform more detailed analysis on should you be interested in this space.
>
> Sneaking a hypervisor in someplace, or in the loader part of the -mz image, may not be as hard as you think. I've seen people here and elsewhere that have posted how to binary edit your IOS to enable/disable features.
>
> - Jared
More information about the cisco-nsp
mailing list