Could someone place a rootkit on an internal network through a router?

Could someone place a rootkit on an internal network through a router?

Is it possible to gain access to the internal network under the following circumstances: A Cisco Internet border router has TFTP running without SSH, and a bad guy gets the credentials and owns the router, then uploads a new configuration opening ports up for communication. Would the only possible attack be a denial of service, or could a rootkit be placed on the internal network?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Without knowing how the internal network is protected by a DMZ, it would be difficult to say how easy it would be to breach. But this situation, on the surface, sounds quite insecure.

TFTP is an insecure protocol, used mostly for transferring configuration files between routers in a network; it's insecure because it transmits data unencrypted in clear text, doesn't require authentication and is based on UDP. The first two issues are the most critical from a security perspective. If the configuration files are transmitted unencrypted, they can be intercepted, read and manipulated. If they're transmitted without authentication, anybody can access them.

So why would anybody use TFTP? TFTP sits on servers that are accessed by Cisco Systems Inc. routers for updating their configuration files. Some networks still need to run it for backwards compatibility with older network hardware. However, it should be replaced with SSH, which encrypts its traffic and requires authentication.

Again, without knowing if the internal network is protected by a DMZ, it would be hard to tell if compromising the border router would compromise the entire network. Either way, compromising any router with access to the network doesn't bode well for the security of the organization. For instance, if someone controlled access to the routers in the system, and was able to change the configuration files through manipulation of a weak TFTP server, he or she could gain access deep into the network. A denial-of-service (DoS) attack is only one possibility; an attacker could unleash a whole range of malware, including keystroke loggers to obtain account credentials.

Also, if the routers on the network were compromised, the attacker would then have the necessary access to control the servers or hosts on the network, as well. And with server access, installing a rootkit into the operating system would be no problem.

For more information:

This was first published in October 2008