RE: CiSCO IOS 12.* source code stolen

Michel_Py1 · May 15, 2004, 8:45pm

Rough translation of:
http://www.securitylab.ru/45221.html

May, 15 2004

Leak of code CiSCO IOS source code?

As it became known to SecurityLab, the source code of operating system
CISCO IOS 12.3, 12.3t, which is used in the majority of Cisco network
devices has been stolen on May 13, 2004. The total volume of the stolen
information represents about 800MB in an archive file.

According to the information available to us, the leak of fragments of
the source code occurred because of a break-in into the corporate
network of Cisco System.

Representatives of Cisco System have not made any comments about the
break-in so far.

A person whose alias on *darknet@EFnet IRC is "franz" has given a small
parts of the source code (about 2.5 Mb) as proof.

Below are links to the first 100 first lines of source code of:

ipv6_tcp.c:
http://www.securitylab.ru/45222.html

ipv6_discovery_test.c:
http://www.securitylab.ru/45223.html

Alexei_Roudnev · May 16, 2004, 4:56am

Cisco source codes never were a top secret, many people around the world had
access to them (and I believe, it explains Cisco's stability and success).

Rough translation of:
http://www.securitylab.ru/45221.html

May, 15 2004

Leak of code CiSCO IOS source code?

As it became known to SecurityLab, the source code of operating system
CISCO IOS 12.3, 12.3t, which is used in the majority of Cisco network
devices has been stolen on May 13, 2004. The total volume of the stolen
information represents about 800MB in an archive file.

According to the information available to us, the leak of fragments of
the source code occurred because of a break-in into the corporate
network of Cisco System.

Representatives of Cisco System have not made any comments about the
break-in so far.

A person whose alias on *darknet@EFnet IRC is "franz" has given a small
parts of the source code (about 2.5 Mb) as proof.

Below are links to the first 100 first lines of source code of:

ipv6_tcp.c:
http://www.securitylab.ru/45222.html

ipv6_discovery_test.c:
http://www.securitylab.ru/45223.html

Alexei_Roudnev · May 16, 2004, 5:04am

Hmm, it's all interesting. EFnet IRC again...

Does anyone have a full logs of EFnet IRC conversations? We used to
participate in it 6 years ago (when fighting hackes in Russia),
and it was very useful for following trends (of course, after you dump a
heaps of junk).

Peter_Galbavy1 · May 16, 2004, 8:14am

Alexei Roudnev wrote:

Cisco source codes never were a top secret, many people around the
world had access to them (and I believe, it explains Cisco's
stability and success).

... and here is to hoping that Cisco don't try to use this incident, if it
gets coverage outside a narrow readership, as a marketing exercise to blame
coding error exploits on anyone but the company itself - unlike our friends
in Redmond.

Cisco have enough IPR to protect serious commercial exploitation of leaked
code in other ways.

Peter

Henry_Linneweh · May 16, 2004, 8:54am

You do not have to steal the code, you can buy a cisco
router from an equipment reseller and have all the
access you want.....

-Henry

Scott_Call1 · May 16, 2004, 8:02am

I wasn't aware you got a source license when you purchased Cisco gear. I
need to have a talk with my reseller...

smart-assitude aside, I do hope fallout is minimal and easily worked
around. Hopefully even the script kiddies and other black hats understand
that undermining the infrasture of the 'net would make all of their DDOS
and SPAM zombies unusable.

-S

Rob_Seastrom2 · May 16, 2004, 12:40pm

Scott Call <scall@devolution.com> writes:

smart-assitude aside, I do hope fallout is minimal and easily worked
around. Hopefully even the script kiddies and other black hats understand
that undermining the infrasture of the 'net would make all of their DDOS
and SPAM zombies unusable.

s/unusable/redundant/.

don't get your hopes up.

---rob

Todd_Vierling · May 16, 2004, 2:40pm

: > Cisco source codes never were a top secret, many people around the
: > world had access to them (and I believe, it explains Cisco's
: > stability and success).
:
: ... and here is to hoping that Cisco don't try to use this incident, if it
: gets coverage outside a narrow readership, as a marketing exercise to blame
: coding error exploits on anyone but the company itself - unlike our friends
: in Redmond.

Heh.

Might make for a good peer review, though. At least CSCO manages to put out
fixes after an exploit is released; MSFT tends to deny existence of the bug
for up to months before releasing a fix.

Alexei_Roudnev · May 17, 2004, 12:29am

I should not be too aware of the possible usage of this source code for the
exploit development; Cisco have a very few
points, where it parse/process IP packets, and most of such points are
filtered out in most Cisco's.

Much more serious is _trade secrets_ issue. Of course, no one can take this
codes and use them on their equipment, or grab library and reuse it. But,
unfortunately, Cisco's codes should have many small tricks, smart design
solutions and so on, which makes IOS so efficient, and this things can be
reused by competitors (unfortunately for Cisco, only a few West countries
respect author's rights, in other people are free to purchase this source
codes from the hacker and use as much as they do want).

(Of course, this leak can result in a few more SNMP exploits - but it is
well known Issue /it is impossible to write out safe code for ASN.1 parser,
in real world/ - what's a surprise!).

Erik_Parker · May 17, 2004, 8:07pm

smart-assitude aside, I do hope fallout is minimal and easily worked
around. Hopefully even the script kiddies and other black hats understand
that undermining the infrasture of the 'net would make all of their DDOS
and SPAM zombies unusable.

It's hard to say what the fallout would be, but really.. When
ios-11.2-8-src.tar.gz appeared online years ago.. What really happened with
that? Not too much, iirc.