Didier Stevens

Wednesday 5 October 2011

The Matryoshka Router

Filed under: Networking — Didier Stevens @ 0:00

I had an unpleasant surprise when I connected a new Cisco 887W router I had just configured to the Internet via its ADSL interface.

As it was the first time I worked with a 887, I did an nmap scan of its ADSL interface to check that I had closed all ports. Surprise: ports 2002, 4002, 6002 and 9002 were open. Even bigger surprise: I could logon via telnet to these ports with the default password, although I had changed it…

I’m omitting the details of how I figured out what went wrong, so here is the explanation.

The 887W has a wireless interface. But in this particular router, the wireless interface is not integrated in IOS (that’s Cisco’s IOS, not Apple’s iOS) like in other wireless routers like the 877W. In the 887W, the wireless interface is a service module with its own IOS and configuration. Both devices communicate with each other via a Gigabit interface.

The router IOS can be accesses via the serial console. The wireless IOS not (at least not directly).

To list the installed service modules, you issue the service-module ? command on the router CLI:

  wlan-ap  Service module interface to embedded AP

To access the wireless CLI, you issue the command service-module wlan-ap0 session command on the router CLI, and you get a telnet session on the wireless CLI. After I configured and hardened the wireless IOS, the ports were still open. The service-module wlan-ap0 status command displays the following information:

Service Module is Cisco wlan-ap0
Service Module supports session via TTY line 2
Service Module is in Steady state
Service Module reset on error is disabled
Service Module heartbeat-reset is enabled
Getting status from the Service Module, please wait..

  Image path       = flash:/ap801-k9w7-mx.124-21a.JA1/ap801-k9w7-mx.124-21a.JA1
  System uptime    = 1 day, 6 hours, 0 minutes, 51 seconds

Notice that the session is accessible via the router’s TTY line 2. After I put an ACL on this tty (with the router CLI) to deny all traffic not originating from the internal network, all 4 ports were closed on the ADSL interface.

Another detail good to now: when you are connected to tty2, all ports are closed (because you can have only one session on tty2).


  1. I don’t think that many would have done such investigating … but your name is Didier Stevens after all!

    Do you think it’s an accident or by design? Have you considered asking Cisco about it? If it is a bug, surely they would be very interested to know about it and do something about it immediately?

    Comment by Iain — Wednesday 5 October 2011 @ 15:55

  2. @Iain No, I don’t think those ports are open by accident. @qxam told me he has seen this too with other service modules.

    Comment by Didier Stevens — Wednesday 5 October 2011 @ 16:01

  3. It’s scary how much stuff is open on the WAN interface of home routers (which, admittedly, Cisco gear isn’t). For example D-Link 502’s give you direct access to the ADSL modem on the router via port 22 (!!), which I found as I did a token scan and wondered why SSH was running on there (it wasn’t, it’s just listening on port 22 for anything that comes in over the WAN, with no way to disable it).

    Comment by Dave — Saturday 8 October 2011 @ 0:33

  4. Hi there.
    I have just discovered the same!
    If someone has entered the console of the wireless IOS console, what could have done to my router?
    I mean, could someone have used this to the router IOS to make some malicious stuff?


    Comment by Jack — Thursday 12 February 2015 @ 19:48

  5. It could be. Take a look at your logs to see what happened.

    Comment by Didier Stevens — Thursday 12 February 2015 @ 21:51

  6. In any case, this router was in front of a firewall which restricted the access to the https of one server behind the external interface of the firewall, how could this person have changed the configuration of the wireless IOS to do so? In addition to it, it is not possible to enter the router IOS from the wireless IOS console, and even if it could have been used to create a wireless access point, the device is located in a computer room in the basement, far away from any possible signal’s range. What’s your opinion?

    Comment by jack — Friday 13 February 2015 @ 7:40

  7. Were ports 2002, 4002, 6002 and 9002 blocked by the firewall?

    Comment by Didier Stevens — Friday 13 February 2015 @ 7:51

  8. Yes, they were closed. 🙂

    Comment by jack — Friday 13 February 2015 @ 7:54

  9. … the traffic from the router (in front of the network) to the firewall was not accepting those ports….

    Comment by jack — Friday 13 February 2015 @ 7:59

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.