[NANOG] IOS rootkits
At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS rootkit. skip below for the news item itself. We've had discussions on this before, here and elsewhere. I've been heavily attacked on the subject of considering router security as an issue when compared to routing security. I have a lot to say about this, looking into this threat for a few years now and having engaged different organizations within Cisco on the subject in the past. Due to what I refer to as an "NDA of honour" I will just relay the following until it is "officially" public, then consider what should be made public, including: 1. Current defense startegies possible with Cisco gear 2. Third party defense strategies (yes, they now exist) 2. Cisco response (no names or exact quotes will likely be given) 3. A bet on when such a rootkit would be public, and who won it (participants are.. "relevant people"). From: http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-cisco... "A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic. Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London. " Gadi Evron.
Gadi, Please try to keep the self-promotion to a minimum, and come back when you have meaningful data to share with operators. Examples would include a list of affected platforms and code revisions, as well as preventative measures. Thank you, Paul On Fri, May 16, 2008 at 9:06 PM, Gadi Evron <ge@linuxbox.org> wrote:
At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS rootkit. skip below for the news item itself.
We've had discussions on this before, here and elsewhere. I've been heavily attacked on the subject of considering router security as an issue when compared to routing security.
I have a lot to say about this, looking into this threat for a few years now and having engaged different organizations within Cisco on the subject in the past. Due to what I refer to as an "NDA of honour" I will just relay the following until it is "officially" public, then consider what should be made public, including:
1. Current defense startegies possible with Cisco gear 2. Third party defense strategies (yes, they now exist) 2. Cisco response (no names or exact quotes will likely be given) 3. A bet on when such a rootkit would be public, and who won it (participants are.. "relevant people").
From: http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-cisco...
"A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London. "
Gadi Evron.
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
On Fri, 16 May 2008, Paul Wall wrote:
Gadi,
Please try to keep the self-promotion to a minimum, and come back when you have meaningful data to share with operators.
Examples would include a list of affected platforms and code revisions, as well as preventative measures.
Name on the door, money to be sent via paypal. I will sign my playgirl cover for 5 USD each. This is operational, and it is about me saying "na na na na na, na na na na na na" to a discussion from two years ago. I have every intention to gloat, but I will keep it to a minimum. Yes? Gadi.
On Fri, May 16, 2008 at 9:06 PM, Gadi Evron <ge@linuxbox.org> wrote:
At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS rootkit. skip below for the news item itself.
We've had discussions on this before, here and elsewhere. I've been heavily attacked on the subject of considering router security as an issue when compared to routing security.
I have a lot to say about this, looking into this threat for a few years now and having engaged different organizations within Cisco on the subject in the past. Due to what I refer to as an "NDA of honour" I will just relay the following until it is "officially" public, then consider what should be made public, including:
1. Current defense startegies possible with Cisco gear 2. Third party defense strategies (yes, they now exist) 2. Cisco response (no names or exact quotes will likely be given) 3. A bet on when such a rootkit would be public, and who won it (participants are.. "relevant people").
From: http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-cisco...
"A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London. "
Gadi Evron.
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
The question this presentation begs for me... is how many of the folks on this list do integrity checking on their routers? You can no longer say this isn't necessary :-). I know FX and a few others are working on toolsets for this... I'll probably have other comments after I see the presentation. This development has all sort of implications for binary signing requirements, etc... cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 21/22 - 2008 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Wouldn't this level of verification/authentication of running code be a pretty trivial function via RANCID or similar tool? I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward -- especially for those of us who run large server farms. A POP or node could certainly keep a few servers around that are a permanent repository of these items for all the devices that get images. If you can't trust the boot rom, well, that's an entirely separate matter. I think the issue with rootkits whether server or embedded device is more about infection vector than the maliciousness that could be caused AFTER a compromise has occurred. Deepak Jain Dragos Ruiu wrote:
The question this presentation begs for me... is how many of the folks on this list do integrity checking on their routers?
You can no longer say this isn't necessary :-).
I know FX and a few others are working on toolsets for this...
I'll probably have other comments after I see the presentation. This development has all sort of implications for binary signing requirements, etc...
cheers, --dr
-- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 21/22 - 2008 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward
Since todays bootstrap codes are in EEPROM (or equivalent), if you get "root" once, you can have "root" forever. Faking file system content (and real time replacing of code) is the core of any current (good) Linux/Mac/Windows rootkit. Cisco/Juniper/Force10/whatever is just another platform to do the same if you can replace the bootstrap. Modular IOS might even make it easier to do dynamic code insertion. There are platforms (Xbox?, Tivo?, etc.) that try to do cryptographic validation of the code they are loading. Network devices are not yet doing a true cryptograhic validation as far as I know, although one could imagine that that might be a next step to protect against that specific threat (although I seem to recall that bypassing the Xbox validations only took a few months, so it is harder than it first appears to get right). Gary
Buhrmaster, Gary wrote:
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward
Since todays bootstrap codes are in EEPROM (or equivalent), if you get "root" once, you can have "root" forever. Faking file system content (and real time replacing of code) is the core of any current (good) Linux/Mac/Windows rootkit. Cisco/Juniper/Force10/whatever is just another platform to do the same if you can replace the bootstrap. Modular IOS might even make it easier to do dynamic code insertion.
There are platforms (Xbox?, Tivo?, etc.) that try to do cryptographic validation of the code they are loading. Network devices are not yet doing a true cryptograhic validation as far as I know, although one could imagine that that might be a next step to protect against that specific threat (although I seem to recall that bypassing the Xbox validations only took a few months, so it is harder than it first appears to get right).
I think that is exactly the point. Once a box has been thoroughly compromised, its almost impossible to bring it back to a "known, good" state without a complete (reformat). In the case of embedded HW, that may include wiping/rewriting the EEPROMs to a known good state. I don't think this is going to be outside of the purview of Network Operators for very long, no matter what the case. Anti-virii and such are somewhat interesting in the end-system model, but when downtimes need to be scheduled significantly in advance for network operations you either a) prevent infection by much tighter controls at the get-go or b) provide a high-trust way to keep the systems in a known good-state. This, of course, assumes true "bugs" are kept to a minimum. It does raise significant security concerns for those networks that have employees/contractors/etc with turn-over that could leave a parting "gift" in their respective networks. Changing passwords isn't really sufficient anymore. DJ
On Mon, 19 May 2008, Deepak Jain wrote:
Wouldn't this level of verification/authentication of running code be a pretty trivial function via RANCID or similar tool?
Absolutely, and it actually makes sense. The problem though is that it is one again an escalation war and counter-inventions keep happening. RANCID will connect remotely and use the local tools to get results, these local tools or their esults can be altered.
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward -- especially for those of us who run large server farms.
That is a neat idea, you mean something like a magic card? Well, the rootkit could still hide in memory, or heck, on the video card if it likes. While XR is not implemented your best bet is reflashing with an updated version, screws up the memory allocations which is apparently a difficult problem to overcome.
A POP or node could certainly keep a few servers around that are a permanent repository of these items for all the devices that get images.
If you can't trust the boot rom, well, that's an entirely separate matter.
I think the issue with rootkits whether server or embedded device is more about infection vector than the maliciousness that could be caused AFTER a compromise has occurred.
Here is very much disagree with you. Imagine what you can do with a Trojan horse on a computer, say a server. You could, in effective terms, use it as your own. You'd own it. The same is true for a router. You could sniff the network, steal traffic, use it as a bridge to connect to potnetially any part of your network, hide traffic, etc. The potential for attackrs is almosy "cool". Gadi.
Deepak Jain
Dragos Ruiu wrote:
The question this presentation begs for me... is how many of the folks on this list do integrity checking on their routers?
You can no longer say this isn't necessary :-).
I know FX and a few others are working on toolsets for this...
I'll probably have other comments after I see the presentation. This development has all sort of implications for binary signing requirements, etc...
cheers, --dr
-- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 21/22 - 2008 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
IIRC, the toolkit(s) can only be installed once having priv 15 on the device. If this is the case, the practicality of this is...well...not that significant. I do think the significance is that we are getting closer and closer to treating infrastructure devices as end stations with respect to susceptibility. Looking forward to seeing all the details. Gadi, have fun :) tv ----- Original Message ----- From: "Gadi Evron" <ge@linuxbox.org> To: <nanog@merit.edu> Sent: Friday, May 16, 2008 8:06 PM Subject: [NANOG] IOS rootkits
At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS rootkit. skip below for the news item itself.
We've had discussions on this before, here and elsewhere. I've been heavily attacked on the subject of considering router security as an issue when compared to routing security.
I have a lot to say about this, looking into this threat for a few years now and having engaged different organizations within Cisco on the subject in the past. Due to what I refer to as an "NDA of honour" I will just relay the following until it is "officially" public, then consider what should be made public, including:
1. Current defense startegies possible with Cisco gear 2. Third party defense strategies (yes, they now exist) 2. Cisco response (no names or exact quotes will likely be given) 3. A bet on when such a rootkit would be public, and who won it (participants are.. "relevant people").
From: http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-cisco...
"A security researcher has developed malicious rootkit software for Cisco's routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed the software, which he will unveil on May 22 at the EuSecWest conference in London. "
Gadi Evron.
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
participants (6)
-
Buhrmaster, Gary
-
Deepak Jain
-
Dragos Ruiu
-
Gadi Evron
-
Paul Wall
-
Tony Varriale