On Tue, May 27, 2008, Chris Grundemann wrote: > > Sure, its not all fire and brimstone, but the bar -was- dropped a little, > > and somehow you need to make sure that the IOS thats sitting on your > > network management site is indeed the IOS that you put there in the > > first place.. > > Like MD5 File Validation? - "MD5 values are now made available on > Cisco.com for all Cisco IOS software images for comparison against > local system image values."
Yes, but the only thing the router checks iirc is the old-style checksum, and not some oob provided md5 hash? And if you can exploit the management box itself, you can load your own MD5 hash in. This is all the sort of stuff that public key crypto and chains of trust were meant to solve, IIRC.. Adrian
