IOS Rookit: the sky isn't falling (yet)

Adrian Chadd adrian at creative.net.au
Tue May 27 17:13:20 UTC 2008


On Tue, May 27, 2008, Valdis.Kletnieks at vt.edu wrote:

> There's basically 2 classes of Cisco routers out there:
> 
> 1) Ones managed by Jared and similarly clued people, who can quite rightfully
> yawn because the specter of "IOS rootkits" changes nothing in their actual
> threat model - they put stuff in place 3 years ago to mitigate "Lynn-style IOS
> pwnage", and it will stop this just as well.  Move along, nothing to see.
> 
> 2) Ones managed by unclued people.  And quite frankly, if Lynn didn't wake
> them up 3 years ago, this isn't going to wake them up either.  Move along,
> nothing new to see here either.
> 
> "60% of routers run by bozos who shouldn't have enable. Film at 11".

Bloody network people, always assuming their network security stops at
their router.

So nowthat someone's done the hard lifting to backdoor an IOS binary,
and I'm assuming you all either upgrade by downloading from the cisco.com
website or maintain a set of your own images somewhere, all one needs
to do is insert themselves into -that- path and you're screwed.

Hijacking prefixes isn't hard. That was presented at the same security
conference.

Cracking a UNIX/Windows management/FTP/TFTP host isn't impossible - how
many large networks have their server infrastructure run by different
people to their network infrastructure? Lots and lots? :)

Sure, its not all fire and brimstone, but the bar -was- dropped a little,
and somehow you need to make sure that the IOS thats sitting on your
network management site is indeed the IOS that you put there in the
first place..




Adrian






More information about the NANOG mailing list