Jump to content


Photo
- - - - -

Cisco IOS rootkit


  • Please log in to reply
4 replies to this topic

#1 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 15 May 2008 - 11:16 PM

pc world, zdnet, etc..

Cool stuff, was only a matter of time.
I was pondering the idea after thinking about the implications of Operation Cisco Raider and then this news broke.
Between off-market / pirated devices being deployed in sensitive environments and now an ios flash rootkit there is a lot of damage potential, especially if rootkits for the separate Cisco Pix (firewall) OS pop up as well.

Employing an undisclosed exploit or obfuscating an unpatched exploit to bypass ids/ips/etc bypass for the purpose of implanting a rootkit would greatly hinder audit/detection/tracing efforts, extend the effective system-access time and possibly even void future update/patch attempts if combined with a bootstrap.

Expect the information to be vague though as Cisco threw their legal team at the last big IOS threat, nothing like security through obscurity while the Chinese/Russian Military to say nothing of private corporations work on their own rootkits behind closed doors.

Edited by jabzor, 15 May 2008 - 11:22 PM.


#2 xof7

xof7

    Hakker addict

  • Members
  • 558 posts
  • Location:Spokane, Washington

Posted 16 May 2008 - 01:20 AM

This is not new. A few of you have heard of the VoIP hacker Robert Moore (MooreR). He and his associates where placing altered versions of IOS on VoIP routers so that they could route their traffic through it and re-sell the use of the equipment.

See:

http://www.secguru.c...le_voip_service

http://www.informati...cleID=202101781

http://www.infoworld...voiphack_1.html

http://freerobert.com

None of these articles go into detail about what occured but Robert is a close friend of mine and this is just something that he mentioned to me.

#3 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 16 May 2008 - 01:52 AM

Would love to hear more info about him root-kitting the IOS.
Read about him dictionary+brute-forcing accounts and unpatched exploits but none of the information I have read mentions him altering IOS binaries.

Edit: Are you certain he was not referring to root-kits on the Call Manager servers?

Edited by jabzor, 16 May 2008 - 01:56 AM.


#4 savant

savant

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 368 posts
  • Gender:Male
  • Location:408

Posted 16 May 2008 - 12:38 PM

Expect the information to be vague though as Cisco threw their legal team at the last big IOS threat, nothing like security through obscurity while the Chinese/Russian Military to say nothing of private corporations work on their own rootkits behind closed doors.



Uh, this isn't strictly true. Michael Lynn's employer was the one who threw the legal team at him, not Cisco. Check the tube's for Dark Tangent's talk from last year's defcon called Ciscogate. Cisco certainly wasn't thrilled, but they were fairly receptive to the information. In fact, Mike Lynn worked with IOS's security team and didn't disclose the exploit until *after* the patch had been released.

http://video.google....989262001542611

It's really popular to dogpile on top of giant companies, but before you do make sure to have all the info.

#5 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 16 May 2008 - 01:36 PM

Thanks for the vid, love the line 'plus he really looks like Yoda'.
Sorry I thought Cisco also behind some of the threats - thought I read Cisco sharks were also after him, if not mea culpa.

Edit:
http://www.infoworld...blackhat_1.html

Cisco was unhappy with his talk and had put pressure on both ISS and the Black Hat conference to stop the presentation, Lynn alleged. Cisco could not be reached for comment on this story.
By giving his presentation, Lynn said he hoped to clear up the misconception that Cisco's products are somehow less vulnerable to the kinds of attacks that frequently affect widely used software like the Windows operating system.

I'm sure there are other examples, even in the video paraphrase "now it's more than just ISS, there are several players, I have to talk to my lawyers - Cisco is in the mix" and the 'Mike from Cisco' showing up.
Not to say that ISS wasn't involved, but how much of that is inpart due to pressure from Cisco on their behalf? It would be interesting to have more of the internal information.
'And he's all like wtf, omg.. um um um.. ISS told us none of this was in here.' - 'k?' - 'ISS told us all of the materials have been pulled and everything is ok'.

Very end of the movie in the Q&A 'When Mike got stuck at the same point FX got stuck at, he went online and found the solution after translating some Chinese hackers postings, so to think that the Chinese or some other hackers didn't already know about this..' and 'as it turns out, ISS was trying to get a deal with Cisco for advanced vulns. That was the big carrot - get your people to full in line and we'll give you this big carrot'.

In your opinion, how did Cisco not throw their lawyers at the situation, how did they not lead the witch-hunt?

Edited by jabzor, 16 May 2008 - 03:17 PM.





BinRev is hosted by the great people at Lunarpages!