[104762] in North American Network Operators' Group
Re: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Gadi Evron)
Tue May 27 12:02:44 2008
Date: Tue, 27 May 2008 11:02:32 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <79AF9AD3-889F-408D-99FE-902930C402EC@puck.nether.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Tue, 27 May 2008, Jared Mauch wrote:
>
> On May 27, 2008, at 8:42 AM, Alexander Harrowell wrote:
>
>>> An alternative rootkit ? Privilege level 16 used by the Lawful Intercept
>>> [12] feature could be abused to do some of this too. Or the other way
>>> around: use a "patched" IOS to keep an eye on Law Enforcement's
>>> >operations
>> on the router as privilege level 15 doesn't allow it and the only
>>> alternative is to sniff the traffic export.
>>
>> The combination of rootkits and specially privileged Lawful Intercept
>> functions is a very dangerous one. This was precisely what was exploited in
>> the now-legendary and still unsolved Vodafone Greece hack.
>
> Perhaps the above should be simplified.
>
> Running a hacked/modded IOS version is a dangerous prospect.
>
> This seems like such a non-event because what is the exploit path to load the
> image? There needs to be a primary exploit to load the malware image.
>
> *yawn*
I guess we will wait for the next one before waking up, than.
> - Jared
Gadi.
