Ecole d'ingénieur et centre de recherche en Sciences du numérique

Through the looking-glass, and what Eve found there

Bruno, Luca; Graziano, Mariano; Balzarotti, Davide; Francillon, Aurélien

WOOT 2014, 8th USENIX Workshop on Offensive Technologies, 19 August 2014, San Diego, CA, USA

Looking-glasses are web applications commonly deployed by Autonomous Systems to offer restricted web access to their routing infrastructure, in order to ease remote debugging of connectivity issues. In our study, we looked at existing deployments and open-source code to assess the security of this critical software. As a result, we found several flaws and misconfigurations that can be exploited to escalate from a web attack to a remote command execution on backbone routers. This paper summarises the results of our study, and shows how even an attacker with very limited resources can exploit such flaws in operators' networks and gain access to core Internet infrastructure. Depending on systems configuration, these attacks may result in traffic disruption and global BGP routes injection, with severe implications for the security of the Internet.

Document Bibtex

Titre:Through the looking-glass, and what Eve found there
Type:Conférence
Langue:English
Ville:San Diego
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:4363
Copyright: Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in WOOT 2014, 8th USENIX Workshop on Offensive Technologies, 19 August 2014, San Diego, CA, USA and is available at :
Bibtex: @inproceedings{EURECOM+4363, year = {2014}, title = {{T}hrough the looking-glass, and what {E}ve found there}, author = {{B}runo, {L}uca and {G}raziano, {M}ariano and {B}alzarotti, {D}avide and {F}rancillon, {A}ur{\'e}lien}, booktitle = {{WOOT} 2014, 8th {USENIX} {W}orkshop on {O}ffensive {T}echnologies, 19 {A}ugust 2014, {S}an {D}iego, {CA}, {USA} }, address = {{S}an {D}iego, {\'{E}}{TATS}-{UNIS}}, month = {08}, url = {http://www.eurecom.fr/publication/4363} }
Voir aussi: