Cisco as a leader in networking market has laid several routing platforms which are being used all over the world. These devices have been a part of internet core, government organizations, service providers and corporate networks for a decade. These all devices basically run the same operating system called "Cisco IOS". Cisco IOS is a monolithic operating system which relies on 3-dimensional complexity, such as, platform dependent code, feature-set dependency and major or minor version dependent code. It is compiled as a single ELF binary and runs directly from CPU. No virtual memory allocated per process, interrupt driven handling for the critical eventsand global data structures support.
Now, taking a glance at security issues highlight that IOS is written in plain 'C' language, sharing same address space for transactions, heap, data structures and pointers. From technical point, everything present in IOS can be the prime target for remote code execution exploits from kernel context. Lets take some examples and real-world scenarios available in the public domain.
IOS rootkits
Binary Modification Rootkits
This is a similar type of other available rootkits and their major function is to modify the binary code to implement the backdoor and allow unauthorized access for malicious adversary. There are three types of binary modifications:
1. Image Modification
2. Runtime Patching
3. Boot Patching
TCL Backdoors
As we know that Cisco IOS supports TCL interpreter, such that, a small TCL script can be used to bind an open TCP port for the backdoor connection.
Revealing IOS Rootkits
Flash File System
Obtain a copy of the modified IOS image placed on the flash of the router or on FTP/TFTP. This can be checked further for integrity using MD5 sum from known good sources.
- Router# show flash
- Router# copy flash:cxxx0-ipbase-mz.124-11.T.bin ftp
Knowing the configuration changes written to NVRAM can help investigator to reveal the security incident.
- Router# show startup-config
There are several exploits published in the public domain. They can found at the following links:
-IOS TFTP server heap overflow exploit
(http://cir.recurity.com/wiki/PhenoelitTFTP.ashx)
-IOS OSPF neighbor array overflow exploit
(http://cir.recurity.com/wiki/PhenoelitOspf.ashx)
-IOS HTTP server URL length integer overflow exploit (http://cir.recurity.com/wiki/PhenoelitHttp.ashx)
-IOS FTP server MKD command overflow exploit (http://cir.recurity.com/wiki/AndyDavisFTP.ashx)
-IOS VTP missing details DoS
(http://cir.recurity.com/wiki/ShowRunVTP.ashx)
-Shellcode that attempts to find IOS functions to execute (http://seclists.org/fulldisclosure/2008/Aug/0408.html)
-Password protected bind shell (http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt)
-Connect Back Shell (http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt)
-Two byte overwrite bind shell (http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt)
Detection of Exploitation
Using the following set of commands can help forensic analyst to find out any post-exploitation reaction as an evidence.
show version
show clock detail
show running-config
show startup-config
show reload
show ip route
show ip arp
show users
show logging
show ip interface
show interfaces
show tcp brief all
show ip sockets
show ip nat translations verbose
show ip cache flow
show ip cef
show snmp user
show snmp group
References
http://cir.recurity.com
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip
http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.html
http://seclists.org/fulldisclosure/2008/Aug/0264.html
http://www.phrack.org/issues.html?issue=60&id=7
