Just when you thought it was safe to route packets...

May 20, 2008

One of the most arcane yet commonly encountered pieces of equipment on the Net today are routers - devices (usually big, expensive devices) that look at the destination IP addresses of each packet they see and decide which port to throw them out of to help them on their way. Usually you don't see them up close because they tend to live in data centers or wiring closets (for smaller shops) in racks, safely locked away. While there are a couple of manufacturers out there who specialize in them, for people in the know the first thing they think of when you say the word 'router' is usually Cisco, who's been in the market for years. At any rate, Cisco's battening down the hatches because one Sebastian Muniz of Core Security Technologies is preparing to unveil his research at the EuSecWest conference later this week. It seems that Muniz has figured out how to write rootkits for compromised Cisco routers. If you've never encountered a rootkit before, a rootkit is a software package that is designed to hide the presence of an intruder in a system. Sometimes you'll see daemons that permit remote access or utilities that really shouldn't be there, but you'll definitely find kernel modules or other OS modules that modify the running kernel to hide network connections, parts of the file system, active logins, and more. Following on the heels of Mike Lynn's research from a few years ago Muniz has figured out how to embed his own software inside of Cisco IOS, the firmware that underlies Cisco's networking equipment once the device has been compromised.

There is already controversy brewing over this development: Some people are saying that this is impossible, or that the vulnerability is hypothetical. Others are saying that it doesn't matter because you need level 15 privileges on the router before you can install the modified firmware image (but then again, you need root or Administrator privileges to install a rootkit on general purpose machines, and historically speaking that's not impossible, either). A select few voices are calling for this guy's head on a platter, though after the hit that Cisco took when they tried to hush Lynn's work a few years ago, I don't think that it's going to work due to all of the bad press they got. One thing that I can say for certain is that there are people out there who aren't just attacking computers, they're also spending time trying to compromise routers to reconfigure them in interesting ways. It's not as common an attack as, say, people writing daemons to brute-force accounts over SSH, but of the people who actively monitor the logs coming from their routers, a small number of them are seeing dozens to hundreds of attempts to brute force accounts every day.