Cisco IOS Rootkit thoughts

Published: 2008-05-23
Last Updated: 2008-05-23 21:54:36 UTC
by Mike Poor (Version: 1)
2 comment(s)

Sebastian Muniz of Core Security was due to give his talk on Cisco IOS Rootkits at EUsecwest today.  After reading the interview with Sebastian Muniz by Sean Comeau  I began thinking of the implications to enterprise operations.

While most enterprises have come to distrust the OS and applications, most still implicitly trust devices.  Whether the device is a printer, a wireless access point, or a router, most operations teams do little beyond applying patches to vulnerable systems.  Most security teams avoid the clash with the operations teams over testing and hardening network devices.

In the case of the printers, we have seen many printer compromises over the years.  I first ran into one almost ten years ago.  These were old office document printers running AIX... you know the ones.  Since that event, I have handled on average 3 investigations a year where a core printer is involved in the theft of corporate data. 

Most organizations treat these devices as unmanaged machines leased from a 3rd party vendor.  The vendor barely supports the device beyond providing paper and toner.  Many of these printers have POTS capability (remote admin, status, as well as fax), network functionality, and wireless.  HP offers a lockdown guide and configuration tool to lockdown their printers.  Here's a link:

If anyone doubts the capabilities of a simple access point, one only needs to go so far as checking in with Paul Asadoorian and Larry Pesce (of fame).  Their awesome book  (shameless plug) and SANS course ( SANS Security 535: Network Security Projects Using Hacked Wireless Routers )  provide much depth and coverage on the topic.

Now, on to the more sensitive topic... hacking IOS.  We can all remember just a few years ago when the Mike Lynn debacle occured at Black Hat when he was scheduled to present on IOS hacking.  Lawyers got involved, goons ripped pages out of conference giveaways, etc.  A couple thoughts come to mind when dealing with the potential of a hacked router:

1. How to validate the IOS running on the device.  Obviously, it can lie just as a kernel level root kit can lie.  My preference might be a steady routine of flashing the device, although that would go against most organizations notions of uptime (and Im usually ok with that).  I do like that Muniz points to CIR as a remedy in this case:

<From the article>

Sean Comeau: Are there any existing tools to detect unauthorized modification
of IOS?

Sebastian Muniz: Yes, CIR "Cisco Information Retrieval" created by FX is THE
TOOL in this case. It's a framework capable of detecting those kind of
modifications. This tool analyzes crash dumps by performing several tests to
it and taking a clean IOS image as a starting point. This is a great tool and
probably the only one able to do this but it relies in the IOS functions that
generate the crash dump so, if those functions are hooked by the rootkit, the
result may not be correct. The thing is not that easy because CIR is able to
perform several tests and could detect the rootkit but this will probably be
like a race, competing with each other to see who has the latest trick to
bother it's counterpart. But in the case of the version of rootkit (DIK) that
will be presented at the conference, CIR will be able to detect it.
</From the article>

2. Router lockdown. 

Cisco has its Security Device Manager (SDM)  with a good article on it here:

The Center for Internet Security (CIS) has a Router Assessment Tool (RAT) that can be used on Windows or Unix-like operating systems to assess the security of a Cisco Router.  This tool can be found here:

Given the amount of interesting things to think about and do presented here... its great that its Memorial Day weekend in the U.S.A.  Have  a great weekend, think of those that have given their lives so that we can enjoy ours...

Mike Poor, Handler on Duty

Intelguardians, Inc.

2 comment(s)


Where is the media coverage on the presentation? I haven't seen any articles or blog posts about the presentation. Where I can I get a copy of the presentation?
Cisco's response of raising awareness is entirely appropriate. I hope that they consider more in-depth process security mechanisms in their future portfolio, especially considering the advent of IOS modularization.

Diary Archives