I finally got to see Topo's presentation this week-end at PH-Neutral and discuss it with him and FX. Given that the slides aren't online yet [1], that Core hasn't published Topo's technical paper on their website [2] yet either, and that I'm done replying to direct inquiries about it [3], here's a summary of the IOS rootkit saga and its impact on the Service Provider community (from my point of view :) Topo spent a lot of time (and if you ever loaded an IOS image in IDA you know what I'm talking about) analyzing strings and functions in IOS. In his proof of concept he located the code doing the password check and adds a trampoline to his backdoor code (by saving paramaters, glueing the two codes together, doing the "new" password check and returning properly to the main code path). Nice lesson on 101 hooking on IOS. The (oversimplified) modus operandi is pretty straight forward: take an image, decompress it, have his tool locate the function and later patch it, add his code by overwriting large strings, (re)compress the image and (re)calculate/fix the checksums. Pretty neat. The fact that he doesn't do basic binary patching makes the approach portable and not architecture, version or feature set specific. This image then needs to be uploaded to the router and the device need to be reloaded. This backdoor is persistent (vs the old backdoor trick using the TCL shell [4] which wasn't - or if you want to turn it into a non-volatile one it was easy to detect as in clear text in the startup/running configuration). An alternative approach is to use gdb on the router (and combine it with a TCL script to make it easier) and patch on the fly. This is non-persistent, but some people don't wan't to leave traces as large as an IOS image behind :) Or another alternative approach: network boot the router via TFTP. At the end of the day this is nothing new from a rootkit technology point of view, but it's in the IOS/router world. He deserves credit to actually have researched this in deep and managed to make it work (it's much more difficult to achieve this on a mostly undocumented and large binary than on common OSes). Respect. What's the best way to actually test this when you don't have the HW you ask ? Dynamips [9] is the answer. As long as the rootkit isn't too advanced and e.g. also hooks the write/copy functions (e.g. an attacker could store the image diff on the system and play a "proper" memory dump or proper IOS back when you write core/copy to TFTP) then FX's CIR[7] is the forensics tool of choice. On platforms where the IOS image is stored on an external flash card forensics may be easier. Here's [8] a "screenshot" of CIR vs Topo. So what's the impact today ? Topo's proof of concept doesn't bypass ACLs (rACLs, VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or enable only if you do gdb-on-the-fly patching). In summary it's "noisy" and unless you bought the router on an auction site and/or download IOS from "alternative" sources) you should notice (or probably deserve to get owned :) See the Cisco PSIRT response for best current practices on securing routers [10] and my old forensics presentation [3]. In the past FX [5] and Mike Lynn [6] proved that code execution is doable. This is a different approach. Can it be combined ? Probably. It is much more complex ? Yes. Is it going to be architecture specific ? Probably. Future developments ? I'm surprised people still focus on the IOS side of things and don't attack the bootrom code as it's smaller and usually never changed unless you bring in some new/unsupported hardware/features. IOS-XR is probably going to become a target too as it makes some of these things easier [11] but code signing may have to be broken/bypassed first. This has been done on other devices, so it's just one more layer to attack. An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12] feature could be abused to do some of this too. Or the other way around: use a "patched" IOS to keep an eye on Law Enforcement's operations on the router as privilege level 15 doesn't allow it and the only alternative is to sniff the traffic export. I've probably missed some stuff (and got some stuff wrong), but this summary became way too long already and it's late. Feedback welcome! [1] Dragos should post them soon here: http://www.eusecwest.com/ [2] Watch http://www.coresecurity.com/?module=ContentMod&action=news&id=papers [3] Google "IOS rootkit" used to return the presentation below as first hit "Cisco Router Forensics" - http://www.securite.org/presentations/secip/ [4] http://seclists.org/bugtraq/2007/Nov/0384.html [5] http://www.phenoelit-us.org/ultimaratio/index.html http://www.milw0rm.com/exploits/77 [6] http://cryptome.org/lynn-cisco.pdf [7] http://cir.recurity.com/ [8] http://www.securite.org/nico/XP/CIRvsTopo.jpg [9] http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator [10] http://www.cisco.com/en/US/products/products_security_response09186a00809977... [11] http://lists.darklab.org/pipermail/darklab/2005-August/000029.html [12] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html Nico. -- Nicolas FISCHBACH Senior Manager - Network Engineering/Security - COLT Telecom e:(nico@securite.org) w:<http://www.securite.org/nico/>