Cisco DLSw Leakage Allows Retrieval of Packet Contents from Remote Routers
In early 2014, we, Tate Hansen and John McLeod, were on a mission, sent by our Pwnfather Patrick Fleming (who taught us everything we know, including things unmentionable in this post) to the dark corners of a secure environment deep within the massive infrastructure of one of the world’s most complex networks.
That’s where we discovered that several of their Cisco Routers had a listening TCP service on port 2067 that would emit information immediately upon establishing a connection.
We observed that the initial bytes always seemed to change when establishing new connections. Intrigued, we wrote a quick bash loop to continually connect and capture the output; then take the output and pipe it through UNIX strings.
Lo’ and behold, we started seeing strings like product names and point-of-sale data. After confirming the protocol as Data-Link Switching (DLSw), we narrowed the range of the interesting data to 54 bytes contained within a DLSw Control Message Header. The information leaked started at offset 18, the WireShark dissector labeled the fields in this range as “Not used” and “Old message type.”
To accelerate the collection of data, we used the following Ruby script:
What did this score for us? Gold. In particular, SNMP RW community strings. That plus account names, SQL query fragments, session cookie fragments, LDAP query fragments and much more.
Surprisingly this was publicly unknown, but in any case, Cisco was unaware of it until their public announcement on November 17, 2014 when they published Cisco IOS DLSw Information Disclosure Vulnerability.
Even though the CVSS score is 5.0, the vulnerability allows a remote and unauthenticated network attacker to retrieve the partial contents of packets traversing Cisco routers that are configured to run the DLSw protocol.
To download the tools to exploit this go to https://github.com/tatehansen/dlsw_exploit.