InfoSec News

E-readers don't get much smaller than the 6-ounce Aluratek Libre Air, which measures 6.0 by 4.1 by 0.4 inches. But this tiny package holds a lot of useful technology, including Wi-Fi integration with an online bookstore offering both commercial and free content.
More and more devices are blurring the lines between ebook reader and tablet, but the Aluratek Libre Touch isn't one of them. While it does support basic Web browsing, email, and multimedia playback, the Libre Touch is first and foremost an e-reader with a color touchscreen and integration (via Wi-Fi) with an online bookstore. But although its feature list is respectable, usability flaws make the Libre Touch a tough sell, even at its attractive price ($150 as of August 5, 2011).

Today is pretty quiet, so I want to sharewith you a partof mySANSFIRE presentation last july in Washington D.C.

Cisco Embedded Event Manager and TCL programming

The Cisco Embedded Event Manager (EEM) started with IOS 12.3(4)T and 12.0(26)S. Its main goal is to to detect events inside Cisco IOS devices like SNMP traps, Syslog event patterns, config changes, interface counters, timers or routing events. When the requested event is detected, a specific action is performed and it can be programmed as an applet with specific commands sent to the CLI or a TCL program resident in any storage device inside the router.

If you want to trigger a program without happening any event, you just have to choose the none event to invoke the program. This technology is very handy to automatize operational procedures inside networking devices

The TCL programming feature was introduced in IOS 12.3(2)T. This scripting language allows to create automated procedures combining commands of the Cisco CLI and the configuration mode. With few exceptions, all commands behave the same as in normal computers and also implements custom extensions to interact with Cisco IOS.

Let's consider the following facts:

Cisco IOS now has a scripting language
Cisco devices have storage for the IOS image and the configuration files
Cisco IOS now supports event manager

What if the programming language is used to perform something nasty within the device that may compromise the entire network?

Compromising the router

To perform such attack, the router must be compromised. The Cisco IOS allows the following remote access methods

Ssh v1 and v2

http and telnet can be compromised by a standard man-in-the-middle (MITM) attack. What about the other protocols that uses cryptography?

SSLcan be easily compromised using ettercap
The SSHv1 protocol is vulnerable to MITMattacks: Use ettercap or mitm-ssh
The SSHv2 protocol is also vulnerable: Use mitm-ssh or jmitm2. You can also downgrade the connection to SSHv1 and then perform the MITM attack in the SSHv1 connection part.

Infection Sequence
The IOS device is owned now. For the proof of concept to work, it must be uploaded to any of the storage devices inside the router. Look inside my presentation for the irc.tcl file and upload it to the router. This proof of concept connects the IOS device to an IRC server and accepts commands from a master. Only ping is implemented.

Next step is to trigger the tcl script every time the IOS device boots. The following example assumes the TCL script was loaded to bootflash: device. We can use the Cisco EEM syslog event detector and look for the SYS-5-RESTART string:

event manager applet IRC_CLIENT

event syslog pattern SYS-5-RESTART

action 1.0 cli command enable

action 1.1 cli command tclsh bootflash:irc.tcl

When the IOS device is reloaded, the script is triggered and the IOS device connects to IRC server as CiscoBot. It receives commands from an IRC channel and then executes them inside the device. You can configure the nick who is the master of the Bot.

And the packets got sent:


We have not yet seen this type of attack but throughout history it is clear that as new technological innovations emerge, the attackers find new ways to use them to commit their crimes (remember the capabilities of JavaScript in Adobe Reader and a few years ago macro viruses in Microsoft Office?).

Such attacks pose an interesting challenge, because as combined with a mask to the CLI, which will explain in my next diary, can fool the network administrator which won't ever suspect that the IOS device has a malware unless he/she is watching strange events from the network. In this case, the only way to remove malware is from the ROMMON prompt.

You need to be aware of the SSL warnings and SSH host key changes, because it does always happen for a reason. If you dont pay attention to any of those signs, two seconds after it might be too late.

If you use signed TCLscripts by a trusted source, you can make sure you won't have future surprises inside your network.
Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Has the Anonymous movement reached a midlife crisis?
Just like in the Planet of the Apes series, primitive touch tablets will take over from brainier PCs. Here's how.
Internet Storm Center Infocon Status