North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IOS Rookit: the sky isn't falling (yet)
interesting, thanks for the summary.. until the presentation becomes available On Tue, May 27, 2008 at 3:03 AM, Nicolas FISCHBACH <[email protected]> wrote: > I finally got to see Topo's presentation this week-end at PH-Neutral and > discuss > it with him and FX. > > Given that the slides aren't online yet [1], that Core hasn't published > Topo's > technical paper on their website [2] yet either, and that I'm done replying > to > direct inquiries about it [3], here's a summary of the IOS rootkit saga and > its > impact on the Service Provider community (from my point of view :) > > Topo spent a lot of time (and if you ever loaded an IOS image in IDA you > know > what I'm talking about) analyzing strings and functions in IOS. In his > proof > of concept he located the code doing the password check and adds a > trampoline > to his backdoor code (by saving paramaters, glueing the two codes together, > doing the "new" password check and returning properly to the main code > path). > Nice lesson on 101 hooking on IOS. > > The (oversimplified) modus operandi is pretty straight forward: take an > image, > decompress it, have his tool locate the function and later patch it, add > his > code by overwriting large strings, (re)compress the image and > (re)calculate/fix > the checksums. Pretty neat. The fact that he doesn't do basic binary > patching > makes the approach portable and not architecture, version or feature set > specific. > > This image then needs to be uploaded to the router and the device need to > be > reloaded. This backdoor is persistent (vs the old backdoor trick using the > TCL > shell [4] which wasn't - or if you want to turn it into a non-volatile one > it > was easy to detect as in clear text in the startup/running configuration). > > An alternative approach is to use gdb on the router (and combine it with a > TCL > script to make it easier) and patch on the fly. This is non-persistent, but > some people don't wan't to leave traces as large as an IOS image behind :) > Or another alternative approach: network boot the router via TFTP. > > At the end of the day this is nothing new from a rootkit technology point > of > view, but it's in the IOS/router world. He deserves credit to actually have > researched this in deep and managed to make it work (it's much more > difficult > to achieve this on a mostly undocumented and large binary than on common > OSes). > Respect. > > What's the best way to actually test this when you don't have the HW you > ask ? > Dynamips [9] is the answer. > > As long as the rootkit isn't too advanced and e.g. also hooks the > write/copy > functions (e.g. an attacker could store the image diff on the system and > play > a "proper" memory dump or proper IOS back when you write core/copy to TFTP) > then > FX's CIR[7] is the forensics tool of choice. On platforms where the IOS > image > is stored on an external flash card forensics may be easier. > > Here's [8] a "screenshot" of CIR vs Topo. > > So what's the impact today ? Topo's proof of concept doesn't bypass ACLs > (rACLs, > VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload > (or > enable only if you do gdb-on-the-fly patching). In summary it's "noisy" and > unless you bought the router on an auction site and/or download IOS from > "alternative" sources) you should notice (or probably deserve to get owned > :) > > See the Cisco PSIRT response for best current practices on securing routers > [10] > and my old forensics presentation [3]. > > In the past FX [5] and Mike Lynn [6] proved that code execution is doable. > This is a different approach. Can it be combined ? Probably. It is much > more > complex ? Yes. Is it going to be architecture specific ? Probably. > > Future developments ? I'm surprised people still focus on the IOS side of > things > and don't attack the bootrom code as it's smaller and usually never changed > unless you bring in some new/unsupported hardware/features. IOS-XR is > probably going to become a target too as it makes some of these things > easier > [11] but code signing may have to be broken/bypassed first. This has been > done > on other devices, so it's just one more layer to attack. > > An alternative rootkit ? Privilege level 16 used by the Lawful Intercept > [12] > feature could be abused to do some of this too. Or the other way around: > use a > "patched" IOS to keep an eye on Law Enforcement's operations on the router > as > privilege level 15 doesn't allow it and the only alternative is to sniff > the > traffic export. > > I've probably missed some stuff (and got some stuff wrong), but this > summary > became way too long already and it's late. Feedback welcome! > > [1] Dragos should post them soon here: http://www.eusecwest.com/ > [2] Watch > http://www.coresecurity.com/?module=ContentMod&action=news&id=papers > [3] Google "IOS rootkit" used to return the presentation below as first > hit > "Cisco Router Forensics" - > http://www.securite.org/presentations/secip/ > [4] http://seclists.org/bugtraq/2007/Nov/0384.html > [5] http://www.phenoelit-us.org/ultimaratio/index.html > http://www.milw0rm.com/exploits/77 > [6] http://cryptome.org/lynn-cisco.pdf > [7] http://cir.recurity.com/ > [8] http://www.securite.org/nico/XP/CIRvsTopo.jpg > [9] http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator > [10] > > http://www.cisco.com/en/US/products/products_security_response09186a0080997783.html > [11] http://lists.darklab.org/pipermail/darklab/2005-August/000029.html > [12] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html > > Nico. > -- > Nicolas FISCHBACH > Senior Manager - Network Engineering/Security - COLT Telecom > e:([email protected]) w:<http://www.securite.org/nico/> > >
|