[104756] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue May 27 11:33:06 2008
Date: Tue, 27 May 2008 11:32:52 -0400
From: "Christopher Morrow" <morrowc.lists@gmail.com>
To: nanog@nanog.org
In-Reply-To: <a2b2d0480805270542y418c8ae3r1cd5298ffddd1a50@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On Tue, May 27, 2008 at 8:42 AM, Alexander Harrowell
<a.harrowell@gmail.com> wrote:
>>An alternative rootkit ? Privilege level 16 used by the Lawful Intercept
>>[12] feature could be abused to do some of this too. Or the other way
>>around: use a "patched" IOS to keep an eye on Law Enforcement's >operations
> on the router as privilege level 15 doesn't allow it and the only
>>alternative is to sniff the traffic export.
>
> The combination of rootkits and specially privileged Lawful Intercept
> functions is a very dangerous one. This was precisely what was exploited in
> the now-legendary and still unsolved Vodafone Greece hack.
to be clear though, the LI functions on cisco are audit-able (assuming
the ios is still cisco not patched/hacked) you just have to snmp-v3 to
audit the activities... which most mediation devices have to do
because the settings don't get committed to config so upon system
reload they have to be re-set to baseline again.
-Chris
