[c-nsp] Synful Knock - IOS-XR

[James Bensley]

Hi All,

The attacks aren't known to be used in IOS-XR (to the best of my
knowledge) and I don't think anyone has come up with a modified IOS-XR
image with a backdoor in it yet, but I'm thinking it would be good to
pull images off routers and hash them to check they match a "known
good" value to ensure the images haven't been tampered with.

Is anyone else here doing this, how are you doing it?

With stock 4.3.4 tarball and stock 5.1.3 tarball in the lab, the two
core vm files are asr9k-mini-px.vm-4.3.4 and asr9k-mini-px.pie-5.1.3
respectively.

RP/0/RSP0/CPU0:ASR-9001-4.3.4#show ver | i System image file
System image file is
"bootflash:disk0/asr9k-os-mbi-4.3.4/0x100000/mbiasr9k-rp.vm"

That isn't the same file. I guess the VM file is unpacked in someway?

I'm a bit lost here as I can't find much Cisco documentation on the
file struction of this modular OS. Essentially my end goal is to
download the tar's from cisco.com and unpack them, and create a list
of "known good" hashes from them.

Then be able to SCP the files off a devices, hash it, and check it
against the my list of good hashes.

Any help would be appreciated,
James.