I N T E R N E T   C O R E

The Internet is a network of networks. A key node in this definition is the so-called Autonomous System (AS). From an high level perspective, The Internet is composed by a large number of ASes which cooperate to exchange and carry data across their links. Several intra- and extra-AS routing protocols running on backbone routers are responsible for distributing routes in the control plane, across the world. The intra-AS routing protocols (e.g RIP, OSPF etc) are used internally in the AS. The extra-routing protocols (e.g BGP) are used to connect different ASes, and in this way the network of networks is created.

Routers are the devices responsible to connect the network nodes. In particular, backbone routers are hardware components of the Internet core infrastracture. They connect the ASes and are in charge of worldwide traffic routing.

L G

When debugging BGP routing problems, NOC operators are often facing issues affecting only a few ASes. Such problems are harder to debug due to the lack of a view on the remote routing table. For this reason, a new category of web-applications emerged in the ’90s to permit a restricted set of operations on AS routers and route servers by the large public, over the web. This kind of software is usually referred as "looking-glass", as it offers a local observation point to remote network engineers.

Looking-glasses are web scripts, usually implemented in Perl or PHP and directly connected to routers admin interfaces (i.e., telnet or SSH). These scripts are designed to relay textual commands from the web to the router and print back router's replies. They run on top of common Linux/Apache stacks, and sometimes provide additional utilities for latency and traceroute measurements.



V U L N E R A B I L I T I E S

  • MRLG4PHP
    • CVE-2014-3927: Remote command injection to router's console via "argument" parameter
  • Cougar LG
  • Cistron LG
  • MRLG
    • CVE-2014-3931: Remote memory corruption in fastping (SUID binary)

I N C I D E N T S

Some of these bugs (in particular 3927, 3928, 3929, 3930) may directly or indirectly result in exposed IPs, usernames, passwords, SSH private keys and remote command injection to router's console. Depending on the specific infrastructure setup, this may translate into an attacker having live access to routers CLI.

During the study, we detected around 45 incidents somehow related to above bugs, which we have already reported to concerned NOC contacts, whois contacts and national FSIRTs for further handling. Advanced private disclosure to concerned entities was performed on 2014/06/02.

A summary of the incidents we spotted in the wild is shown in the table below, with geographical distribution of impacted ASes.


Exposed configuration files 28
Remote command injection 12
Misconfigured CGI 4
Exposed SSH private keys 3

I M P A C T

A looking-glass is an often overlooked critical part of an operator infrastructure, as it sits at the border between the public web and restricted admin consoles. As such, an attack against this component may escalate from basic web scenarios to advanced worldwide networking threats.

Our results have been greatly summarized by one anonymous WOOT reviewer:

Find old, open-source web apps that no auditor has ever touched before yet are used on extremely high value systems. Bloodbath ensues.

Anonymous reviewer, WOOT '14
Post-exploitation scenarios are multiple and widely depend on actual network configurations. After abusing some of the above issues, an attacker may actually be capable of logging-in into backbone routers. Here, we just highlight some of the possible attacks that came to our mind:
  • Gather and re-use credentials shared among several systems:
    • Private SSH keys
    • Login and passwords (we have spotted exposed rootpasswords too!)
  • Dump router configuration to:
    • Bruteforce weak password
    • Crack weak hashes, eg. on Cisco
    • Discover and map internal/private/customer networks
    • Map and DoS external control-plane endpoints, eg. BGP peers
  • If needed, escalate privileges to admin console by:
  • Once admin, change router configuration to:
    • Inject malicious BGP routes, eg. to hijack other prefixes or to saturate remote devices' tables
    • Manipulate OSPF/ISIS/MPLS tables, eg. for rerouting or DoS purposes
    • Set up your own BGP/GRE/MPLS/etc. channels, eg. for traffic mirroring
    • ... (Put your favourite cyber-terrorism scenario here)

R E P O R T S

More detailed analysis of bugs, exploitation scenarios, incidents and impact can be found in the following proceedings:

A U T H O R S

Mariano `emdel` Graziano and Luca `kaeso` Bruno from Eurecom, with credits to NOPS crew.