[104758] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue May 27 11:41:31 2008
From: Jared Mauch <jared@puck.nether.net>
To: "Alexander Harrowell" <a.harrowell@gmail.com>
In-Reply-To: <a2b2d0480805270542y418c8ae3r1cd5298ffddd1a50@mail.gmail.com>
Date: Tue, 27 May 2008 11:41:17 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On May 27, 2008, at 8:42 AM, Alexander Harrowell wrote:
>> An alternative rootkit ? Privilege level 16 used by the Lawful
>> Intercept
>> [12] feature could be abused to do some of this too. Or the other way
>> around: use a "patched" IOS to keep an eye on Law Enforcement's
>> >operations
> on the router as privilege level 15 doesn't allow it and the only
>> alternative is to sniff the traffic export.
>
> The combination of rootkits and specially privileged Lawful Intercept
> functions is a very dangerous one. This was precisely what was
> exploited in
> the now-legendary and still unsolved Vodafone Greece hack.
Perhaps the above should be simplified.
Running a hacked/modded IOS version is a dangerous prospect.
This seems like such a non-event because what is the exploit path to
load the image? There needs to be a primary exploit to load the
malware image.
*yawn*
- Jared
