Saturday, November 03, 2007

Hacking Vyatta (or is there any interesting router vuln work to be done 2008?)

In one month I will be clean. Straight. Sober. No vuln work for a year. A year ago I was struggling to finish up the ICCP vulnerability paper I presented at S4, although I've had a few tempted a few times in 2007. Like before Fortify released their Java script Hijacking paper, I was sort of of interested in JSON and JSON-RPC.

And yesterday, this absolutely silly Network World article on Vyatta (a Linux based on Open Router platform -- I have another blog entry on Vyatta in progress, we'll see if I ever complete it) but as I was walking with my kids to the park I struggled to come up with anything interesting. After FX, after the BGP work Sean Convery and I did, after "Slipping in the Window," after Mike Lynn, after Gadi Evron's routesec list, after whatever Raven Alder was trying to accomplish with her SchmooCon talk, I'm not sure the point. (NOTE: the last two I list as efforts that might show that the field is played out, exhausted, that there isn't much to be done)

What can (or should) be done security/vuln-wise for commodity routing and switching features. Sure, you could fuzz/audit all the Quagga (or whatever they use) protocols and there are probably some more bugs to be found -- just like there probably are in IOS protocol implementations. If they mucked with lower layer (TCP/IP) protocols, well you could look at that. Yawn! And their web interface is an obvious (but also boring) target. Privilege escalation from within the CLI, maybe? We never had much time for post-auth stuff back in the day. Automated CLI testing (and fuzzing?) seems sort of interesting, if only because it wouldn't be protocol work. If they really had some virtualization features (like Cisco's that might be worth looking at) but just running in VMWare? Come on guys! I dunno maybe there is something to look at in their HA features like their VPN clustering technological or their "protocol sandboxing" (assuming that just doesn't mean each protocol is just running a separate Linux process). Who knows? Maybe I'm just not being creative enough.

No comments: