Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Controlling a Cisco IOS device from an IRC channel - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Controlling a Cisco IOS device from an IRC channel

Today is pretty quiet, so I want to share with you a part of my SANSFIRE presentation last july in Washington D.C.

Cisco Embedded Event Manager and TCL programming

The Cisco Embedded Event Manager (EEM) started with IOS 12.3(4)T and 12.0(26)S. Its main goal is to to detect events inside Cisco IOS devices like SNMP traps, Syslog event patterns, config changes, interface counters, timers or routing events. When the requested event is detected, a specific action is performed and it can be programmed as an applet with specific commands sent to the CLI or a TCL program resident in any storage device inside the router.

If you want to trigger a program without happening any event, you just have to choose the "none" event to invoke the program. This technology is very handy to automatize operational procedures inside networking devices

The TCL programming feature was introduced in IOS 12.3(2)T. This scripting language allows to create automated procedures combining commands of the Cisco CLI and the configuration mode. With few exceptions, all commands behave the same as in normal computers and also implements custom extensions to interact with Cisco IOS.

Let's consider the following facts:

  • Cisco IOS now has a scripting language
  • Cisco devices have storage for the IOS image and the configuration files
  • Cisco IOS now supports event manager

What if the programming language is used to perform something nasty within the device that may compromise the entire network?

Compromising the router

To perform such attack, the router must be compromised. The Cisco IOS allows the following remote access methods

  • http
  • telnet
  • https
  • Ssh v1 and v2

http and telnet can be compromised by a standard man-in-the-middle (MITM) attack. What about the other protocols that uses cryptography?

 Infection Sequence

The IOS device is owned now. For the proof of concept to work, it must be uploaded to any of the storage devices inside the router. Look inside my presentation for the irc.tcl file and upload it to the router. This proof of concept connects the IOS device to an IRC server and accepts commands from a master. Only ping is implemented.

Next step is to trigger the tcl script every time the IOS device boots. The following example assumes the TCL script was loaded to bootflash: device. We can use the Cisco EEM syslog event detector and look for the SYS-5-RESTART string:

event manager applet IRC_CLIENT
 event syslog pattern "SYS-5-RESTART"
 action 1.0 cli command "enable"
 action 1.1 cli command "tclsh bootflash:irc.tcl"

 
When the IOS device is reloaded, the script is triggered and the IOS device connects to IRC server as CiscoBot. It receives commands from an IRC channel and then executes them inside the device. You can configure the nick who is the master of the Bot.

Bot IRC Connection

 And the packets got sent:

 Wireshark picture of bot packets

 Remediation

We have not yet seen this type of attack but throughout history it is clear that as new technological innovations emerge, the attackers find new ways to use them to commit their crimes (remember the capabilities of JavaScript in Adobe Reader and a few years ago macro viruses in Microsoft Office?).

Such attacks pose an interesting challenge, because as combined with a mask to the CLI, which will explain in my next diary, can fool the network administrator which won't ever suspect that the IOS device has a malware unless he/she is watching strange events from the network. In this case, the only way to remove malware is from the ROMMON prompt.

You need to be aware of the SSL warnings and SSH host key changes, because it does always happen for a reason. If you don’t pay attention to any of those signs, two seconds after it might be too late.

If you use signed TCL scripts by a trusted source, you can make sure you won't have future surprises inside your network.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web: http://manuel.santander.name
 

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
This is the very reason why ACL's should be used to protect which hosts and/or networks can get non-console access to the router itself. Leaving a cisco router open to remote access via HTTP/HTTPS/TELNET/SSH, is an invitation to trouble.

Other things to consider would be to use stronger passwords to encrypt usernames (type 5 vs. type 7), and the use of RAT (router auditing tool) to get an overall readout of how well the security is in a given cisco router.
Anonymous
This is really great work...i mean appreciate this entry and all the others. Tks.

Anonymous
Can the TCL feature be effectively used with a Tripwire installation?
AndrewB

24 Posts

Sign Up for Free or Log In to start participating in the conversation!