Review of IOS rootkit talk
By stretch | Tuesday, May 27, 2008 at 11:00 a.m. UTC
In lieu of the public release of any slides or notes from the recent EUSecWest presentation on Cisco IOS rootkits by Sebastian Muniz, Nicolas Fischbach has posted a nice summary of the talk to the cisco-nsp mailing list. From hist post:
The (oversimplified) modus operandi is pretty straight forward: take an image, decompress it, have his tool locate the function and later patch it, add his code by overwriting large strings, (re)compress the image and (re)calculate/fix the checksums. Pretty neat. The fact that he doesn't do basic binary patching makes the approach portable and not architecture, version or feature set specific.
This image then needs to be uploaded to the router and the device need to be reloaded. This backdoor is persistent (vs the old backdoor trick using the TCL shell  which wasn't - or if you want to turn it into a non-volatile one it was easy to detect as in clear text in the startup/running configuration).
So, while it seems no groundbreaking ideas have been introduced, the proof of concept is nonetheless very cool. With all the recent hysteria in the media concerning IOS rootkits, you'd expect more than zero coverage on the presentation itself. But, I suppose any vulnerability left after implementing the level-headed and effective countermeasures suggested just isn't scary enough.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in News