May 12, 2010

Cisco IOS Trojan - well not really

Hi there!

Jeremy on “evilrouters.net” issued a post regarding a white-paper published on the GCIH website, the paper is entitled “IOSTrojan: Who really owns your router?”. The pdf is available at this link and is about 26 pages. Being curious as to all things IT, especially in the domains of Networking and Unix, I dived in and read the pdf in its integrality and here is my take

In the major part of this article, the author mainly focus on demonstrating how a tcl script executed could lure the user into being in an ios shell and not tcl shell by parsing and handling most of the IOS commands. While the author makes a good point for anyone not being aware of the tcl script setup, it makes me wonder as to which extend, a scenario as such would take place in a production environment and whether this would qualify as such as a Trojan, since the code process of execution is not hidden from the user’s view, which itself brings me to the following question: “who does run a tcl script on a production network equipment without source reading it?”

Last but not least, yet again another reminder that the weakest link in a deployed environment (whether it be a deployed network or server farms) is the design and maintenance of the security guideline and practices.