IOS Rookit: the sky isn't falling (yet)

Tue May 27 14:15:38 UTC 2008

interesting, thanks for the summary.. until the presentation becomes
available

On Tue, May 27, 2008 at 3:03 AM, Nicolas FISCHBACH <nicolist at securite.org>
wrote:

> I finally got to see Topo's presentation this week-end at PH-Neutral and
> discuss
> it with him and FX.
>
> Given that the slides aren't online yet [1], that Core hasn't published
> Topo's
> technical paper on their website [2] yet either, and that I'm done replying
> to
> direct inquiries about it [3], here's a summary of the IOS rootkit saga and
> its
> impact on the Service Provider community (from my point of view :)
>
> Topo spent a lot of time (and if you ever loaded an IOS image in IDA you
> know
> what I'm talking about) analyzing strings and functions in IOS. In his
> proof
> of concept he located the code doing the password check and adds a
> trampoline
> to his backdoor code (by saving paramaters, glueing the two codes together,
> doing the "new" password check and returning properly to the main code
> path).
> Nice lesson on 101 hooking on IOS.
>
> The (oversimplified) modus operandi is pretty straight forward: take an
> image,
> decompress it, have his tool locate the function and later patch it, add
> his
> code by overwriting large strings, (re)compress the image and
> (re)calculate/fix
> the checksums. Pretty neat. The fact that he doesn't do basic binary
> patching
> makes the approach portable and not architecture, version or feature set
> specific.
>
> This image then needs to be uploaded to the router and the device need to
> be
> reloaded. This backdoor is persistent (vs the old backdoor trick using the
> TCL
> shell [4] which wasn't - or if you want to turn it into a non-volatile one
> it
> was easy to detect as in clear text in the startup/running configuration).
>
> An alternative approach is to use gdb on the router (and combine it with a
> TCL
> script to make it easier) and patch on the fly. This is non-persistent, but
> some people don't wan't to leave traces as large as an IOS image behind :)
> Or another alternative approach: network boot the router via TFTP.
>
> At the end of the day this is nothing new from a rootkit technology point
> of
> view, but it's in the IOS/router world. He deserves credit to actually have
> researched this in deep and managed to make it work (it's much more
> difficult
> to achieve this on a mostly undocumented and large binary than on common
> OSes).
> Respect.
>
> What's the best way to actually test this when you don't have the HW you
> ask ?
> Dynamips [9] is the answer.
>
> As long as the rootkit isn't too advanced and e.g. also hooks the
> write/copy
> functions (e.g. an attacker could store the image diff on the system and
> play
> a "proper" memory dump or proper IOS back when you write core/copy to TFTP)
> then
> FX's CIR[7] is the forensics tool of choice. On platforms where the IOS
> image
> is stored on an external flash card forensics may be easier.
>
> Here's [8] a "screenshot" of CIR vs Topo.
>
> So what's the impact today ? Topo's proof of concept doesn't bypass ACLs
> (rACLs,
> VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload
> (or
> enable only if you do gdb-on-the-fly patching). In summary it's "noisy" and
> unless you bought the router on an auction site and/or download IOS from
> "alternative" sources) you should notice (or probably deserve to get owned
> :)
>
> See the Cisco PSIRT response for best current practices on securing routers
> [10]
> and my old forensics presentation [3].
>
> In the past FX [5] and Mike Lynn [6] proved that code execution is doable.
> This is a different approach. Can it be combined ? Probably. It is much
> more
> complex ? Yes. Is it going to be architecture specific ? Probably.
>
> Future developments ? I'm surprised people still focus on the IOS side of
> things
> and don't attack the bootrom code as it's smaller and usually never changed
> unless you bring in some new/unsupported hardware/features. IOS-XR is
> probably going to become a target too as it makes some of these things
> easier
> [11] but code signing may have to be broken/bypassed first. This has been
> done
> on other devices, so it's just one more layer to attack.
>
> An alternative rootkit ? Privilege level 16 used by the Lawful Intercept
> [12]
> feature could be abused to do some of this too. Or the other way around:
> use a
> "patched" IOS to keep an eye on Law Enforcement's operations on the router
> as
> privilege level 15 doesn't allow it and the only alternative is to sniff
> the
> traffic export.
>
> I've probably missed some stuff (and got some stuff wrong), but this
> summary
> became way too long already and it's late. Feedback welcome!
>
>  [1] Dragos should post them soon here: http://www.eusecwest.com/
>  [2] Watch
> http://www.coresecurity.com/?module=ContentMod&action=news&id=papers
>  [3] Google "IOS rootkit" used to return the presentation below as first
> hit
>     "Cisco Router Forensics" -
> http://www.securite.org/presentations/secip/
>  [4] http://seclists.org/bugtraq/2007/Nov/0384.html
>  [5] http://www.phenoelit-us.org/ultimaratio/index.html
>     http://www.milw0rm.com/exploits/77
>  [6] http://cryptome.org/lynn-cisco.pdf
>  [7] http://cir.recurity.com/
>  [8] http://www.securite.org/nico/XP/CIRvsTopo.jpg
>  [9] http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator
> [10]
>
> http://www.cisco.com/en/US/products/products_security_response09186a0080997783.html
> [11] http://lists.darklab.org/pipermail/darklab/2005-August/000029.html
> [12] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html
>
> Nico.
> --
> Nicolas FISCHBACH
> Senior Manager - Network Engineering/Security - COLT Telecom
> e:(nico at securite.org) w:<http://www.securite.org/nico/>
>
>