Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Vendor: Cisco IOS Server Backdoor May Have Been Planted



 By: Lisa Vaas
2007-05-15
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Two vulnerabilities must align to enable a remote attacker to hijack the server. Is it just a coincidence they were both there at the same time?

A security vendor is questioning whether the IOS FTP Server vulnerabilities Cisco reported on May 9 may constitute an intentionally planted backdoor, as opposed to a series of programming errors that inadvertently led to a backdoor.

Chris Eng, director of security services at Veracode, is suggesting that possibility given that a remote attacker would need one of the flaws—improper authorization checking in IOS FTP—in order to exploit the second flaw—an IOS reload when transferring files via FTP.

In essence, an attacker can bypass authentication and avoid giving credentials because of the first flaw. The attacker then has to overwrite the critical startup configuration file, then has to cause the router itself to reboot in order to execute the rewritten configuration file.

Click here to read more about a Trojan piggybacking on Windows Updater.

Resource Library:
"Is it a coincidence that both flaws happen to be there at same time?" Eng asked in an interview with eWEEK. "Multiple things have to fall into place to really exercise the full extent of the attack. That seems a little bit odd. It kind of has the trademarks of what youd expect from [an intentionally planted] backdoor."

Together, the flaws open the door for an attacker to retrieve or write any file from the device file system—including the devices saved configuration. "That configuration file may include passwords or other sensitive information," Cisco said in its advisory.

The origin of the flaws boils down to a question of intent, Eng said. Cisco essentially said in its advisory that the flaws can be used as a backdoor. That could mean that an attacker could exploit the vulnerabilities to gain access to a router.

The backdoor allows a remote attacker to log onto the FTP service on the router without credentials, get onto the router itself and read or write any file on the routers file system. The startup configuration is what the router reads when it reboots, to seed its initial configuration. If an attacker can control that by overwriting, he or she essentially has control of the entire router.

The attacker could take the router offline, for example, or, more ominously, could route traffic to another destination where the traffic can be intercepted.

In that definition, were not looking at how the flaw got there in the first place, Eng said. "Were just taking it as a fact that yes, its there and yes, people could do bad things with it."

The flaws could well be simple programming mistakes. "In most cases, when a vulnerability in a piece of software is discovered and made public, its because of an implementation error on the part of the [developer not having] adhered to secure programming guidelines," Eng said. "Its just a mistake. Programmers do it all the time."

On the other hand, if the flaws are a backdoor, was it planted into the code base intentionally, by someone who gained access to the code base? Such could be the case with a disgruntled developer who had access to the code base, Eng said, or somebody who didnt already have access to the code base launched an attack on Cisco, gained access to the code base and surreptiously made changes. Then, once the code ships, such access to routers gets pushed out to all Cisco customers, he said.

If the flaws werent intentionally planted, then they at least highlight the need for more frequent and better security reviews, Eng said, given the number of versions of IOS that harbor the flaws "This is an FTP interface and an authentication mechanism," he said. "Maybe they need better focusing of security reviews to look at these critical components, and look at these things that are liable to be exploited. With five versions of 12 [affected, etc.], they might need to do this more frequently to catch these things."

Use of the IOS FTP Server is an optional service that is disabled by default. Users can disable use of the server by executing this command in configuration mode:

no ftp-server enable

Cisco has supplied other mitigations here in Ciscos Applied Intelligence document, a companion to the advisory.

Cisco hadnt responded to a request to comment on the issue by the time this story was posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Vendor: Cisco IOS Server Backdoor May Have Been Planted
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r㶲s\@♵M=ҔlcؖgRJEĘ"H%g~u~|.g<5D th4{$sG7L{B.cnQ?sOG3齿O$w}L9UQ#C3W)92 E]0eNznDzpDwd>J`OS{S )5'Ӡ5ޙ Q}_6g2z9o0 fE63&6IE9JDq֥qɏB|2#ַ8>v@ߩV:AÙML}!*{>$E%k4ًʏqGOwɀYgF {.Q^Z -gt 4b'*cO^3lְB䅠1FE8 /t#wJ3q򿹓' ٪r'ӤbfHÑc7PwXS.HVf̴;gu[gb=ױ}ǣ# 3#v?ƭ?Q If [aWK g?LG`B'lǦ"Gml_j| sqHfjdHU o~cnK txz`:vzt\a_eY73mdۼMydijTӪrT5X;ߋWm8e/&Ne9z_{JY4E].;gW9~`h-v$ EeSs^_wD_*0QI- Y|/ Z@GS::YgN{_ x[^ ԊhGZAAv,f3} 3+i3*5dNߒ-~k~>E,[3SAT4 ̠K`W:k19zqsںy\7=rڽ&Iٙ{Ά0pgs Z_Zzn`KK'^CEXCyCa#U#3?_4>wNHN‰,-Yt7Q[,/s$B&rZT|Y|ěy#0ri4(.ߦAf@w[@0k:j56kiJuf!`FܼNR49Vϡ蟩$Wm4@r1)6B̄H )&7R<&,)|YB* brݢPP3>̧KdoF" 2#~B(pHqbNbϑWMCzjNTʊ0Wr{g,EށؓixnUO^ S3G#вnZsV)b1x+%YE*G@8ʍ??5m!S[ö@ .Ss+< |0F;}F{g0PP?: M/6G˥qfhj>'ݨä p;p|g͇v1s a {>0sF}j`I l"v|scм`yna23fC?F{7t( u,/{@`\@Z8`$8ʼE]q2>o  9#z[MKx Gť6N\KQo -2(%E2 EEKy3@ $h5az/mbo$w$]I+TbD8JnOu$;gJ_JEs㙰TL٣XB YX/_23CCɴh4Z*ȉ#m"0%X ,'Z X5ֲ fiZ\OG4MhȄ%1@μs2H`0HCb;N-: x9o@Cys;J`p=Ͱ"̴b֜u4dMfB7g Ʃ9 R g?fx0-qڛ:uVw]ˤF|a* ,qF! 3=Ͱ&q8+owzjré&9|YrY2ۿi R*MmUPS7˕L4+׬uPM g2)*[hs< 9:ȭM7)\IYbT9XScX`D~w Lzb0ufm/n$)`V|\uΖMkͲ{_No6ҁveXZ @-Ui -a70Ԣ(P|M$"!tsaͰ,C /0k断,0!.(2n( ,9قrij><:NX鹞~om0TNϣ(a!w1 ZJkX"L M=t%\4(e\8XbO`.#Všc-fˋ°w^]v˦?~5l2^ۄC= 0͉V*a0؋TMk<ݝvmZB_` /Ƥ_$I?րH{A2,exY΁5mIr 'jY$ Ei.0y$pO RN}'Xk5F>սT:cDA#Ez . @ ЏBrAaj H"T `nR@;kRUԓtZC ^~~ JE:dzt4}ڣnssQ*J73 R|ۏjZ(T+15UT9*J7+|&9)R3KG)Nb_ޝoh`1gRJo/m^:J_09X>: ;212&cQ av5 1;?VkJB2By^Yhw\rR" Qptoգ)u7ufv9A#]#@$2]r@ XQj0qs;M?bL%Jt( ֹB\U4Ue`wk* :@!G:0ݛ,()yന^u/iYS)&V$tu| `_ nM==WK$*X# 4k 0Y[ ⺪TjՂʾ_YN+^> (Lu0Ȑ%=GlThm⻏.1Ul$R*lC01^*== 7S_ -ʖ~g˦ɪՆ'QyϤ͋p|5] |b9s#ONq釛Lk s0SIl7xv@̬}#w6霎0 M`}G ϣ1W5% `,fqN'GA:+lnBs0X3f~Wk*tx{Wz&[wܕ[ ܱ B-oc d.ōfπïǖ mԚVNM&Vi Z;zGd!9 =!?s/=Zip>lz*%\.Yid {2u9p\s[?nHCo`s_ 车P9ɷwnh‰/lCXx|{ `?K{e, ,"zдR#.=2fV(Yō?hhqL _\}?؇^Ѫۣ%&b |* N=A$KO}y9|g| 8}_UwA;QAZr{q 4 }U\ڿU/[R&øDoٷ)P K #F1>dd˙]=+boVta؆ۧ0F@IDW~Bh^\/~tϻ(9\dcxx\O#;R%9!hUHv:<aShmǛ&a֏5!F蹑a3 "m@Kվ̂KӜ$"j?N3dn ʣF4Skޚ( V`!旁1d|PR# (ʑ=`=` VwuN .f_dBAnpkz!NU He*4Д+e3ѓ:)K+y-EY-V6y;qz])LU9$gy/uϏZEbݙms==vc%vd:Gw*b9,_=hrrӅ[ey$smCgLرD}4%/5g3 \:`A)cn ~]ު9Gqܘx,3ueNx?HАߙ=p8#M[_:ܓ9HwNA}i^wl'UzyZ J}~l/t6D(jy[a{wCWȪ̅S.{ۋ~g#S^q:-< ctH_/l臵4 Z^+U@< b]_ I{Oz[6N Ģ762~1O O=pԶ؉Exyg,d9a}430[ɱ=Ιd<J;oݭnM L ?#A;"J [4 2UCnK&Z1qE0pHVa'$\}1 ߊ;bE Qm!ZQ|=N83{K8jRSWW&6o)?.wi{\naa0^ ="s(ı߂KCƧ3ӆUe[#Y!02%oN/Q"Ǧe*ĴS'z:1-%,3/[o<w4pudn(!eFe3ZUj?F7R=O: ~BB5]1vðoms<4G<~1o= mK؄2߀çZM0uǀ~cnv|>a: K{>BגǪZ)%}<~(\:s'N{{;3ZDNI 1iv}.ψAbܒ 7طAdB}t,DP wQY# frM`Xn7^O[k~#&K >?j=vP)kZr$F- ~2bZuzH 9ghl!);~HN n4|nY ;,S"?ksI  0#B[JlxSr)rP#$co<՛E7ހV$$n=?2/S&h~- naP$ !1WQ.6v%*i[3O32Vc0$`i"W *үsZBjC \Jmūr&tam™*K L8`<& h{ B<Ǿ+#btжX|v-guDR[L~"D b"%!P>f ĹmOJHvⷚZޖJoNFtFY2P/zJY)*ҍͤ3's$BfA.ll[sR-l(ggkszROjљY)0GsHML&i53'JΠ[>ao#EO"JHiTJa=6Jdvl5@X6 ^d06v*p߰ r2ת8FƋ {yYyYyYyYX. ObEnt_XHR\-/M&2 X|yci_gfzDo9>8GJ|ĤԔQ?<)4/ktMKʷYaq> |nA -jLW⅗`xDƳڒO ϭG۟:;,ǹ4EU=/}t% 5J JZܠd8C"G8̯"882hjDؙ_ْUsQMR/p<8v0;2H2}e5gt#\=J,It$!̃8g ףPK건i<-YBZ)J A8D-PC겋|UQ oG* u꬧jY=<'ؒ۹b&CkL(:zl>HcǓz[$||Hdﻤ}~s}s}s}sr_Y6z,\#8>6[_rƘg9bg B ;#sʛg-mk~m zn,/ot6„8F2rCu30a! y5|4R;إv҃yT9zSϴA& [.حTy oNB B" 5v"E%*n:u mh}(es<0(>3[Oe^F;mD.x2[آ˻͆S *ҥWO:s_:Y A}I mĨk;@^0yI}0|[ _sӣI: {]Xojcj/yJ#H1.8-"?xT }\I͡3#=S9pJ08Ϋ"KBw!Cc]_a.Dr֑f\co b_fit24VػSz˙8JVk& 3hΝco(j5?}Cjg闶UpmzQ}}`2V_Ӳ뿓$yh1(/A1D+b@/j }?Fa3:^GDKnb+n\@,ۉa)ȁ.c"1ʱ, <ߋn! vl?QX2SB6 KfRlǛ aeS,Y4K711\R4RSK.}KRG*+N+ߥtW BZc{cWes[ɣ.j"2, jD#0Z`W>bTi <)fF<@&L8`;bwC=Vڹ:q yK-y.FcFI2㙛UuȓєgE[TvXj 14;7^|2$n&~iX1r>H':t=jh D:ѤJd mh]P)ϑVPJj\=rC;dJ}yjUS*ZYQ +QLk]]OtXiec=Hy1~RI+mݳi8.<Rt<H ,G J6_KEś'0m˖C/0Ÿn54#Ծ3=F #1/VWk)' +K-^`=%U$d[j4K$¨ӔAJLa rۺm6AIt KG/HkW"Yc6يj ãUQwLm rBیh%=mPd 4&/87c Ą[)bUfwܠ~z*ڟOe^f#n_(5 oU@8AnKis4|>N &}&`Cq -rt&7\9P[/8F_ 6a^zGZq!IG) }o #b2zޘ7# XZ `Oh$~b ɓ2uFf."T( #`Nmv9'yo_*!hQ_o-uY tfZEs0~ ,@Nxl0Wq1  [z.p5:0[:?ra)?Do9fH s ߎ훟/{JM)`#s~! 6L Dä"c*41GJ[#}s uǤۭpxX0!,YC) Q?cǞ3#H 1bNx Ys6#&|MY$D&o`bWoP$P`+wdc||9OgH"0XJCS "PV: 1Ci^bJ ͍$u~KVK X`,2E<ezY<>swe~rt6/0͇33< f;. l9 :W@ g>򽉡0us;sSRC´vxX-><& .ycI ^yN4X+lhhc|?ݩ9e/( @Ka1c~PoVR$4 >(>gٕa)豪7)4 ;eeK=M蕴B%^Șq~/Ywo: &O=lFLnϡyuuvI^ۤwrݹw}޽S֚_ԝnIi}uݹ31F;6M&E`<ejE)sC9ӿXԞpm.4 "Gd;πW}VX\m[e;MjV}QyxQ3Q+Q~ כO͌.w3ʑ[@V;O6}N3!>Bg\㬳5:r_'\fC;k( 7 05.2_d^dsA " ϋ O /?A3(?(#/2a|/32C~.a.3Ư f _ *?32  l.1>ArS~~2w7Y7{dwɹN2!(ofY NOoT8\8_JeYW@a uyQ^ }VV<_`fkWt.rf_2 ̭L_;W'Vr]!,.5PUZk3/Y3ݴ6q 6 S\ȜHW0'f[ 똘|,y|e8Ntw<1 }^fh#]~̬( (GUtKn y;r%>| #r75iohg?>/yd֦WVFkp'k͠~%s"N^O>^wҾl= 쓥/>gA7gn"B8#w0 dH= _\0vZ{衜+ 7\z{ǙebIP*5VZ*{5  = #b3jJ]N-JTL3BAzG l]{ۦJ̾ZCO3CX)ḇ}̺l5G P1=:1bۨ,*Yۼx0%aw8cokx;b(q ?,(s[^Fl12W!+\ř_pot1R  {{[1g7ډ5 u¿.ө+p&#ӄwY!DӸx4@;4Dݴil1@Й zdLdp!gB-Kt!މPeD˦U憄B`G:՞/knnu–'*F'B;Nħ`ػKlg-!X5RǬ TDxaw. ]C?Bw Ńq`a\m8ʹI(q0ASփMΊqe>L6Zo/TùLH#D֣cK߱iB .~W, {+2‡_i Z3tHϱ[ctf&}#K^'z >IϐR8K)P%)^xzA߭Ud#ə B| ,+- O*HQq1^R”s]q5{to4Oe;BI<-<~z9o %P@EikI/?tI3軉Wd&%}YQ v.ycьU%$tnP/9"Ź oPmBO0wKw ,CR6N>Lb9!x]읚6^<#ɿع Ә1J1А8v2COA#t Oke[ O2OC24`)yc<9zn:6Ȭ 'LwD5&Tc :۳|? Oe Lt8/o90kn>7Q$L{ izQڃˬ`+슧p ?dtE#b[p!@>pEg*QTD KQ)Ybd㜙699je Ǣ8"U];6sP/>yGׂ=Q'a|ht-+^FL‡!Ү\)Vbʕ.Sܟ=B[Ηaқ "ݝ,{QFbfBq-E6<]܈x~{ݺŀg OTx.XU\(siȅ+`j7E]EtACwϏq`2[u~Z[8KIZ epCikZ+ 0DqS XǢVWqTR:!; /D?8 ciL;acXJ ,oԛ'TS*4.v>ϝ>Z\99ZpϢq9q3E~#V+KVw9^5FElT$bB=Ay4O~փ!gn耵]1nBO .&DW6K54Ƙb~q1LX+0_mkASsLeU|tCGYEL`&;]+N%t&ж?8acT 1L(_^,RYדWv!{ZqƋ|E>WNENE<<Sf}')VSL_Xџ_,P>I*g\ƕy_Sq|>o\7,{ٗNχ<|XYx(~']f(FRqO\||8)>wc3-/=n%-EKB^i B"Ewl:񲞽P7v r9̳p7*Р~oQWVIGv3HZ\֓Rvᷮ g۲M*d.%rR⚫W+EiQ}&' Cfan-nǝl| n%96L]_[ P)\)(