Through the Looking-Glass, and What Eve Found There Luca Bruno, Mariano Graziano, Davide Balzarotti, Aurelien´ Francillon EURECOM ffi[email protected] Abstract of software flaws and widespread misconfigurations in “looking-glass” software that offers limited web-access Looking-glasses are web applications commonly de- to backbone routers. ployed by Autonomous Systems to offer restricted web The paper is organized as follow. In Section1 we access to their routing infrastructure, in order to ease re- introduce the concept of “looking-glass” software as a mote debugging of connectivity issues. In our study, we public-access network debug tool, and its typical code looked at existing deployments and open-source code to architecture. Then, in Section3 we outline a possible assess the security of this critical software. As a result, threat model, along with some of the most severe men- we found several flaws and misconfigurations that can be aces. Furthermore, in Section4 and5 we present the re- exploited to escalate from a web attack to a remote com- sults of the software review we did, and we describe the mand execution on backbone routers. indirect experiments we performed to confirm our find- This paper summarises the results of our study, and ings. The most relevant statistics and results of our ex- shows how even an attacker with very limited resources periments are shown in Section6, along with an empir- can exploit such flaws in operators’ networks and gain ical rough estimation of BGP injection feasibility, based access to core Internet infrastructure. Depending on sys- on historical records. Finally, Section8 summarises our tems configuration, these attacks may result in traffic dis- findings and give some insights on the current state of the ruption and global BGP routes injection, with severe im- Internet infrastructure. plications for the security of the Internet. 2 Background 1 Introduction An AS infrastructure is composed of several network ser- The Internet is composed by a large number of Autonou- vices, each handled by different systems and devices. mous Systems (AS) which cooperate to exchange and For the purposes of this paper, we will limit our focus carry data across their links. Several intra- and extra- to just two categories of systems that are strictly related AS routing protocols running on backbone routers are to Internet routing: backbone BGP routers and Linux- responsible for distributing routes in the control plane, based route servers. across the world. Some of those protocols, however, have not been designed with security in mind and are not • Backbone routers specifically resilient against malicious agents [1]. The worldwide Internet backbone is run on top For example, the Border Gateway Protocol (BGP) [2] of dedicated network devices capable of acceler- takes care of extra-AS routes distribution, but any mali- ated packet routing in the data-plane, using custom cious or wrongly configured AS can hijack and re-route ASICs and dedicated hardware. prefixes owned by other ASes. Therefore, most of In- These devices run a custom OS and control-plane ternet routing relies on the assumption that no malicious stack which is responsible for computing the rout- BGP routers are ever allowed to announce bogus routes, ing topology, e.g., by participating in BGP sessions and that the existing routers are benign and properly se- with neighbors. In addition, all these devices have cured. one or more interfaces for remote and out-of-band The aim of our study is to show how these assumptions (OOB) administration, like a telnet service, a SSH do not hold true in the real-world, by focusing on a series service, or a remote serial port. The access to these AS64497 AS64496 Private net Public net Internet NOC NOC AS64498 Public web (looking-glass) Private admin (telnet/SSH) NOC Public IP (data+BGP) Figure 1: Looking glass architecture. interfaces should be strictly restricted to Network Looking glass Language Release (date) Operations Center (NOC) operators and authorized Cougar-LG [6] Perl 1.9 (2004-11-25) AS personnels. Cistron-LG [7] Perl 1.01 (1997-10-21) • Route servers MRLG [8] Perl 5.4.1 (2007-08-30) Routing software exists for traditional Linux- MRLG4PHP [9] PHP 1.0.7 (2007-10-11) based servers to establish BGP sessions with other routers and servers. Two prominent examples are Telephone [10] PHP 1.2.0 (2012-10-01) Quagga [3] and Xorp [4], which are used by several operators and are under active development. Table 1: Open-source looking-glass software. The usages of route servers are multiple, from pro- viding a read-only copy of the global BGP table to tional utilities for latency and traceroute measurements. allowing scripting of BGP rules (e.g., by using tra- Figure1 briefly shows their typical architecture and de- ditional UNIX utilities). Also these servers can be ployment. accessed out-of-band by AS personnel, via telnet or We decided to focus our attention on looking-glass SSH. software, as most of them are small and old web- Some public services exist, like the Route Views applications that have been last updated in early 2000s. project [5], which provide unrestricted telnet access In this paper we analyse what we found to be the most to their route servers to expose a read-only copy of commonly used open-source software looking-glasses, the BGP table to analysts and researchers. How- as listed in Table1. ever, those services are purposefully meant for pub- lic access, and are therefore outside the scope of this paper. 3 Threat model When debugging BGP routing problems, NOC oper- A looking-glass is an often overlooked critical part of an ators are often facing issues affecting only a few ASes. operator infrastructure, as it sits at the border between the Such problems are harder to debug due to the lack of a public web and restricted admin consoles. As such, the view on the remote routing table. threat model encompasses both the typical web security For this reason, a new category of web-applications scenario and some more custom networking threats. emerged in the ’90s to permit a restricted set of opera- We categorized some of the most relevant issues as tions on AS routers and route servers by the large public, follow: over the web. This kind of software is usually referred as “looking-glass”, as it offers a local observation point to • Reverse Cross-Channel Scripting (Reverse-XCS) remote network engineers. Reverse-XCS are defined by Bojinov et al. [11] as Looking-glasses are web scripts, usually implemented “the use of web interface to eventually attack a non- in Perl or PHP and directly connected to routers admin web channel”. interfaces (i.e., telnet or SSH). These scripts are designed In our scenario, this translates to two relevant cases: to relay textual commands from the web to the router and print back the router’ replies. They run on top of com- – Malicious command injection mon Linux/Apache stacks, and sometimes provide addi- Bypassing a weak or non-existent commands 2 sanitization, an attacker may trick the looking- as plain-text to anyone querying the proper URL. By in- glass into sending malformed commands to a specting source code and looking at default file names, it router console, e.g., to trigger a DoS on the is possible to guess the URL of configuration files and, if control-plane. not properly protected, retrieve them. – Routing Information Base (RIB) manipulation Finally, some software allows advanced authentication By exploiting flaws in the looking-glass, an at- methods, for example by using SSH public/private key- tacker may inject arbitrary commands to ma- pairs instead of cleartext passwords. In this case, the nipulate the RIB on the router, e.g., by chang- path to the SSH key is stored in the configuration files, ing the BGP configuration. If the attacked instead of the full passwords. However, the SSH keys router relays its topology to neighboring ASs, themselves could be stored by mistake in the same path, this may also affect remote networks. openly readable to the entire world. • Web flaws 4.2 Poor network policies Typical web threats applies here too. In particular, we highlight two of the most relevant cases: Backbone routers are parts of a critical infrastructure and as such their admin interfaces have to be properly se- – Exposed routers credentials cured. Cisco’s own best practices [13], for example, rec- The configuration files of a looking glass con- ommend exposing consoles only over out-of-band loop- tain IP addresses, usernames, and passwords back interfaces, unreachable from the public Internet in cleartext. If not properly secured, an at- (e.g., by using private addresses and placing them in ded- tacker may be able to gather credentials by icated admin VLANs). guessing the URLs of configuration files. However, some operators may decide to put loopback interfaces on publicly routable networks, or to expose ad- – Cookies stealing via XSS ministration services on all router’s interfaces. In such Even though looking-glass applications are cases, a remote attacker may be able to directly login usually unauthenticated, an attacker may ex- onto them, e.g., by using stolen credentials. ploit XSS flaws in them to gather admin cook- ies for other administration web-applications served under the same-origin domain. 4.3 Web security It is usually recommended that actionable web applica- 4 Threat Analysis tions make use of captcha or other automation blocker to avoid scripted attacks [14]. While this may not look like 4.1 Misconfigurations a big issue for looking-glasses, the lack of this counter- measure can effectively help an attacker to automatically Misconfiguration or improper access control of resources map resources in an AS infrastructure and scan them for are two of the most basic, yet important, issues for web information gathering.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-