North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: "Cisco gate" - Payload Versus Vector

  • From: Jim Popovitch
  • Date: Tue Aug 02 18:50:10 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Subject:From:To:Cc:In-Reply-To:References:Content-Type:Date:Message-Id:Mime-Version:X-Mailer:Content-Transfer-Encoding; b=jpKuwXg/1S/tw6pKPGJcK1GRfXOd10gKTbECypJ464WJvGcPkU3eLNnoB/G12ql/erVX2x9aqFk4QRflWQ/T4j5Di0XvJRpPP9FcDyyieIppDO6FRzH2ufb3WYihldSzRIpgmcFC7bzV2z1g9nL236UoftN9jKNiBUtXuwVDFe0= ;
On Tue, 2005-08-02 at 15:29 -0700, Dan Hollis wrote:
> On Tue, 2 Aug 2005, Randy Bush wrote:
> > even without stiffling the heap check via crashing_already (i.e. a
> > 'fix' is developed for that weakness), is the 30-60 second window
> > sufficient to do serious operational damage.  i.e. what could an
> > attacker do with a code injection with a mean life as short as
> > 15-30 seconds?
> 
> change the passwords and write to nvram, and come back later?

some more that come to mind as ssh/enable pw changes wouldn't go
unnoticed for too long.

change snmptrap dest
change snmp r/w comstrs (most monitoring would only use r/o comstrs)
change ACLs on snmp access to allow public IPs
change the ip address of the host that is used for tftp boots

lots of things can be done in a 1/10 of the 30-60 second window.

-Jim P.