nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IOS Rookit: the sky isn't falling (yet)

From: "Christopher Morrow" <morrowc.lists () gmail com>
Date: Tue, 27 May 2008 11:32:52 -0400
On Tue, May 27, 2008 at 8:42 AM, Alexander Harrowell
<a.harrowell () gmail com> wrote:

An alternative rootkit ? Privilege level 16 used by the Lawful Intercept
[12] feature could be abused to do some of this too. Or the other way
around: use a "patched" IOS to keep an eye on Law Enforcement's >operations

on the router as privilege level 15 doesn't allow it and the only

alternative is to sniff the traffic export.


The combination of rootkits and specially privileged Lawful Intercept
functions is a very dangerous one. This was precisely what was exploited in
the now-legendary and still unsolved Vodafone Greece hack.


to be clear though, the LI functions on cisco are audit-able (assuming
the ios is still cisco not patched/hacked) you just have to snmp-v3 to
audit the activities... which most mediation devices have to do
because the settings don't get committed to config so upon system
reload they have to be re-set to baseline again.

-Chris
Previous By Date Next
Previous By Thread Next

Current thread: