From: Anthony Faria (tfaria72@gmail.com)
Date: Mon Jan 26 2009 - 13:28:44 ARST
1 in 100,000 How many cisco devices are out there. They run what 80 percent
of the internet. 1-100,000 seems kinda scary thinking how many devices are
out there. It always seems when someone says ahh this is no big deal then
SQL slammer hits or blaster. I am not saying to be paranoid just try to be
prepared and dont think lightly of threats they do turn into realities.
Thanks,
Tony
On Mon, Jan 26, 2009 at 7:17 AM, Bogdan Sass <bogdan.sass@catc.ro> wrote:
> Darby Weaver wrote:
> > Remember - it's not the IOS that they are trying to take advantage of...
> >
> > It's the underlying "C" Code...
>
> Sorry, but that's just wrong.
>
> While I believe that a "proof of concept" attack is more than just
> "blowing smoke up various body parts" (I'm thinking of the various
> papers saying that "MD5 /might/ be cracked" only months before an actual
> real-life attack was published), I didn't reply to your previous e-mail
> - I believe that everybody is entitled to his own opinion about this,
> and if you want to believe that the paper is just FUD, it is your right.
>
> However, the statement above is just wrong. There is no "C code" on
> your routers - it's only machine-level code, generated by a compiler
> from C source code. What the attacks target is the internal memory write
> routines, not a code that doesn't exist anymore.
> The fact that most documentation on this mentions C functions (like
> sprintf(), or gets() ) is just an example, used because most coders are
> familiar with the language. The problem is that the /internal
> implementation/ of these functions doesn't perform any checks on the
> input length - hence, the machine code that results from compiling such
> a function doesn't perform those checks either. Which makes the code
> vulnerable to buffer overflow attacks.
> The code could be just as well written in any other language,
> assembler, or directly into machine code - if no checks are performed on
> the input (and the compiler doesn't add such checks), the result would
> be just as vulnerable to buffer overflow attacks.
>
> > And Cisco has done a pretty good job of checking IOS's before we can
> > run them - so much that if they are incorrect our devices crash and
> > tell us quickly enough.
> This is like saying "Microsoft has done a good job with Vista* - it
> is so well written that it just crashes when something goes wrong" :))
> [ *if you happen to like Vista, just insert your favorite MS
> operating system here. WinME, anyone? :P ]
>
> The fact that an operating system crashes doesn't usually mean that
> "is has been well checked" :)
>
> --
> Bogdan Sass
> CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
> Information Systems Security Professional
> "Curiosity was framed - ignorance killed the cat"
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST