This evening, I noticed a paper in the SANS Reading Room entitled, “IOSTrojan: Who really owns your router?” (PDF). The paper was written by Manuel Humberto Santander Peláez, as part of the requirements for the GCIH certification.
To entice you to read it, I’ll simply include one paragraph from the Introduction:
Cisco routers are not able to perform additional functions to the ones supported on the level 15 privileged mode. Beginning in IOS version 12.3(2)T, Tcl has been included in Cisco IOS as the native scripting language for the platform. With this language, the router is able to send email, send files or perform any other task as a result of a Tcl script execution. We will show in this paper how powerful Tcl scripting is. A Tcl script will be demonstrated that can fully take over the Cisco CLI and become a full Trojan that can hide special artifacts like GRE interfaces.
Manuel’s paper contains proof-of-concept code and is definitely an interesting read.