Today is pretty quiet, so I want to sharewith you a partof mySANSFIRE presentation last july in Washington D.C.
Cisco Embedded Event Manager and TCL programming
The Cisco Embedded Event Manager (EEM) started with IOS 12.3(4)T and 12.0(26)S. Its main goal is to to detect events inside Cisco IOS devices like SNMP traps, Syslog event patterns, config changes, interface counters, timers or routing events. When the requested event is detected, a specific action is performed and it can be programmed as an applet with specific commands sent to the CLI or a TCL program resident in any storage device inside the router.
If you want to trigger a program without happening any event, you just have to choose the none event to invoke the program. This technology is very handy to automatize operational procedures inside networking devices
The TCL programming feature was introduced in IOS 12.3(2)T. This scripting language allows to create automated procedures combining commands of the Cisco CLI and the configuration mode. With few exceptions, all commands behave the same as in normal computers and also implements custom extensions to interact with Cisco IOS.
Let's consider the following facts:
Cisco IOS now has a scripting language
Cisco devices have storage for the IOS image and the configuration files
Cisco IOS now supports event manager
What if the programming language is used to perform something nasty within the device that may compromise the entire network?
Compromising the router
To perform such attack, the router must be compromised. The Cisco IOS allows the following remote access methods
Ssh v1 and v2
http and telnet can be compromised by a standard man-in-the-middle (MITM) attack. What about the other protocols that uses cryptography?
SSLcan be easily compromised using ettercap
The SSHv1 protocol is vulnerable to MITMattacks: Use ettercap or mitm-ssh
The SSHv2 protocol is also vulnerable: Use mitm-ssh or jmitm2. You can also downgrade the connection to SSHv1 and then perform the MITM attack in the SSHv1 connection part.
The IOS device is owned now. For the proof of concept to work, it must be uploaded to any of the storage devices inside the router. Look inside my presentation for the irc.tcl file and upload it to the router. This proof of concept connects the IOS device to an IRC server and accepts commands from a master. Only ping is implemented.
Next step is to trigger the tcl script every time the IOS device boots. The following example assumes the TCL script was loaded to bootflash: device. We can use the Cisco EEM syslog event detector and look for the SYS-5-RESTART string:
event manager applet IRC_CLIENT
event syslog pattern SYS-5-RESTART
action 1.0 cli command enable
action 1.1 cli command tclsh bootflash:irc.tcl
When the IOS device is reloaded, the script is triggered and the IOS device connects to IRC server as CiscoBot. It receives commands from an IRC channel and then executes them inside the device. You can configure the nick who is the master of the Bot.
And the packets got sent:
Such attacks pose an interesting challenge, because as combined with a mask to the CLI, which will explain in my next diary, can fool the network administrator which won't ever suspect that the IOS device has a malware unless he/she is watching strange events from the network. In this case, the only way to remove malware is from the ROMMON prompt.
You need to be aware of the SSL warnings and SSH host key changes, because it does always happen for a reason. If you dont pay attention to any of those signs, two seconds after it might be too late.
If you use signed TCLscripts by a trusted source, you can make sure you won't have future surprises inside your network.
Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.