[c-nsp] IOS Rookit: the sky isn't falling (yet)

Nicolas FISCHBACH nicolist at securite.org
Tue May 27 03:11:06 EDT 2008


I finally got to see Topo's presentation this week-end at PH-Neutral and discuss
it with him and FX.

Given that the slides aren't online yet [1], that Core hasn't published Topo's
technical paper on their website [2] yet either, and that I'm done replying to
direct inquiries about it [3], here's a summary of the IOS rootkit saga and its
impact on the Service Provider community (from my point of view :)

Topo spent a lot of time (and if you ever loaded an IOS image in IDA you know
what I'm talking about) analyzing strings and functions in IOS. In his proof
of concept he located the code doing the password check and adds a trampoline
to his backdoor code (by saving paramaters, glueing the two codes together,
doing the "new" password check and returning properly to the main code path).
Nice lesson on 101 hooking on IOS.

The (oversimplified) modus operandi is pretty straight forward: take an image,
decompress it, have his tool locate the function and later patch it, add his
code by overwriting large strings, (re)compress the image and (re)calculate/fix
the checksums. Pretty neat. The fact that he doesn't do basic binary patching
makes the approach portable and not architecture, version or feature set
specific.

This image then needs to be uploaded to the router and the device need to be
reloaded. This backdoor is persistent (vs the old backdoor trick using the TCL
shell [4] which wasn't - or if you want to turn it into a non-volatile one it
was easy to detect as in clear text in the startup/running configuration).

An alternative approach is to use gdb on the router (and combine it with a TCL
script to make it easier) and patch on the fly. This is non-persistent, but
some people don't wan't to leave traces as large as an IOS image behind :)
Or another alternative approach: network boot the router via TFTP.

At the end of the day this is nothing new from a rootkit technology point of
view, but it's in the IOS/router world. He deserves credit to actually have
researched this in deep and managed to make it work (it's much more difficult
to achieve this on a mostly undocumented and large binary than on common OSes).
Respect.

What's the best way to actually test this when you don't have the HW you ask ?
Dynamips [9] is the answer.

As long as the rootkit isn't too advanced and e.g. also hooks the write/copy
functions (e.g. an attacker could store the image diff on the system and play
a "proper" memory dump or proper IOS back when you write core/copy to TFTP) then
FX's CIR[7] is the forensics tool of choice. On platforms where the IOS image
is stored on an external flash card forensics may be easier.

Here's [8] a "screenshot" of CIR vs Topo.

So what's the impact today ? Topo's proof of concept doesn't bypass ACLs (rACLs,
VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or
enable only if you do gdb-on-the-fly patching). In summary it's "noisy" and
unless you bought the router on an auction site and/or download IOS from
"alternative" sources) you should notice (or probably deserve to get owned :)

See the Cisco PSIRT response for best current practices on securing routers [10]
and my old forensics presentation [3].

In the past FX [5] and Mike Lynn [6] proved that code execution is doable.
This is a different approach. Can it be combined ? Probably. It is much more
complex ? Yes. Is it going to be architecture specific ? Probably.

Future developments ? I'm surprised people still focus on the IOS side of things
and don't attack the bootrom code as it's smaller and usually never changed
unless you bring in some new/unsupported hardware/features. IOS-XR is
probably going to become a target too as it makes some of these things easier
[11] but code signing may have to be broken/bypassed first. This has been done
on other devices, so it's just one more layer to attack.

An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12]
feature could be abused to do some of this too. Or the other way around: use a
"patched" IOS to keep an eye on Law Enforcement's operations on the router as
privilege level 15 doesn't allow it and the only alternative is to sniff the
traffic export.

I've probably missed some stuff (and got some stuff wrong), but this summary
became way too long already and it's late. Feedback welcome!

  [1] Dragos should post them soon here: http://www.eusecwest.com/
  [2] Watch http://www.coresecurity.com/?module=ContentMod&action=news&id=papers
  [3] Google "IOS rootkit" used to return the presentation below as first hit
      "Cisco Router Forensics" - http://www.securite.org/presentations/secip/
  [4] http://seclists.org/bugtraq/2007/Nov/0384.html
  [5] http://www.phenoelit-us.org/ultimaratio/index.html
      http://www.milw0rm.com/exploits/77
  [6] http://cryptome.org/lynn-cisco.pdf
  [7] http://cir.recurity.com/
  [8] http://www.securite.org/nico/XP/CIRvsTopo.jpg
  [9] http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator
[10]
http://www.cisco.com/en/US/products/products_security_response09186a0080997783.html
[11] http://lists.darklab.org/pipermail/darklab/2005-August/000029.html
[12] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html

Nico.
-- 
Nicolas FISCHBACH
Senior Manager - Network Engineering/Security - COLT Telecom
e:(nico at securite.org) w:<http://www.securite.org/nico/>


More information about the cisco-nsp mailing list