[82974] in North American Network Operators' Group
RE: "Cisco gate" - Payload Versus Vector
daemon@ATHENA.MIT.EDU (Jim Popovitch)
Tue Aug 2 18:48:48 2005
From: Jim Popovitch <jimpop@yahoo.com>
To: Dan Hollis <goemon@anime.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>,
Robert Guess <tcguesr@tcc.edu>
In-Reply-To: <Pine.LNX.4.44.0508021526540.22695-100000@sasami.anime.net>
Date: Tue, 02 Aug 2005 18:46:09 -0400
Errors-To: owner-nanog@merit.edu
On Tue, 2005-08-02 at 15:29 -0700, Dan Hollis wrote:
> On Tue, 2 Aug 2005, Randy Bush wrote:
> > even without stiffling the heap check via crashing_already (i.e. a
> > 'fix' is developed for that weakness), is the 30-60 second window
> > sufficient to do serious operational damage. i.e. what could an
> > attacker do with a code injection with a mean life as short as
> > 15-30 seconds?
>
> change the passwords and write to nvram, and come back later?
some more that come to mind as ssh/enable pw changes wouldn't go
unnoticed for too long.
change snmptrap dest
change snmp r/w comstrs (most monitoring would only use r/o comstrs)
change ACLs on snmp access to allow public IPs
change the ip address of the host that is used for tftp boots
lots of things can be done in a 1/10 of the 30-60 second window.
-Jim P.
