iOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approx- imately 300,000 unique IOS images in existence, a new class of version-agnostic shellcode is needed in order to make the large-scale exploitation of Cisco IOS possible. We show that such attacks are now feasible by demonstrating two different reliable shellcodes which will operate correctly over many Cisco hardware platforms and all known IOS versions.
We propose a two-phase attack strategy against Cisco routers and the use of offline analysis of existing IOS images to defeat IOS firmware diversity. Furthermore, we discuss a new IOS rootkit which hijacks all interrupt service routines within the router and its ability to use intercept and modify process-switched packets just before they are scheduled for transmission.
This ability allows the attacker to use the pay- load of innocuous packets, like ICMP, as a covert command and control channel. Furthermore, the same mechanism can be used to stealthily exfiltrate data out of the router, using response packets generated by the router itself as the vehicle. We present the implementation and quantitative reliability measurements by testing both shellcode algorithms against a large collection of IOS images.
As our experimental results show, the techniques proposed in this paper can reliably in- ject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes the last hurdle in the large-scale, reliable exploitation of Cisco IOS. Thus, effective host-based defense for such routers is imperative for maintaining the integrity of our global communication infrastructures.
Ang Cui is currently a PhD student at Columbia University in the Intrusion Detection Systems Laboratory. His research focuses on the exploitation and defense of embedded devices. Before starting his PhD, Ang worked as a security specialist within various financial institutions.
Jatin Kataria, is pursuing MS in Computer Science from Columbia University . He is a Graduate Research Assistant with Intrusion Detection System research group at Columbia. He has published a paper and worked with McAfee for an year in the area of information security.
Salvatore J. Stolfo is Professor of Computer Science at Columbia University. He received his Ph.D. from NYU Courant Institute in 1979 and has been on the faculty of Columbia ever since. He has published over 200 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining and most recently computer security and intrusion detection systems (see www.cs.columbia.edu/ids). He has been granted 27 patents. His research has been supported by DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, DHS and numerous companies and state agencies over the years while at Columbia.