“Every XSS or unsanitized input vector on a Layer 2 or Device (router or switch) is a covert network protocol waiting to happen.” – Ken “s1ngular1ty” Pyle
In my previous works, I disclosed an attack which bypasses Layer 2 protections via persistent XSS payloads and utilized poisoned, limited, unsanitized space. The devices I was attacking were currently updated (5/2022) Aruba Networks / HPE Procurve switches.
In that disclosure, I noted that I had been exploiting this technique to perform some exotic exploitation and access control list bypasses:
“I have been performing this attack and have working PoC for many other switch, AP, and router families (Cisco / Dell / Netgear / D-Link / 3Com / Linksys / etc.)”
In this work, I am going to show one of those techniques and how abusing persistent XSS / polyglot payloads can allow for robust protocol creation similar to COOLHANDLUKE and allows an attacker to exfiltrate, encapsulate, and tunnel their malicious traffic between IPv4 and IPv6 networks without a router.
I call the technique and protocol “DIRECTIVEFOUR.”
Even as simple / traditional web application & exploitation attacks, the exposures I will walk through here have been officially classified by Cisco’s PSIRT as:
• High SIR security advisory titled “Cisco Small Business Series Switches Session Credentials Replay Vulnerability” / CVE-2021-34739 (“CENTAUR”)
• Bug ID CSCwa02039 titled “Session ID is too short” (SOUNDBOARDFEZ)
• Bug ID CSCvz62305 titled “Crash when invalid sessionID, but valid credentials are supplied during login” (“CAKEHORN”)
• Bug ID CSCvz63121 titled “Host header injection in web UI” (“MAGNIFICENTSEVEN”)
• Medium SIR security advisory titled “Cisco Small Business 200, 300, and 500 Series Switches Web-based Management Interface Denial of Service Vulnerability” / CVE-2021-40127 (PROCESSION)
Notice, most of the issues I’m demonstrating here are not assigned CVE numbers.
Refined as polyglot attacks (DIRECTIVEFOUR), these exploits and exposures become exotic communications channels, methods for protocol creation and tunneling, and covert channels for malicious code storage & transmission: Polyglot exploitation to the max.
Proof of Concept will be provided here for creation of a more complex protocol than the previously disclosed “COOLHANDLUKE”. The protocol outlined here (DIRECTIVEFOUR) will provide file segmentation and delimiters, a rudimentary acknowledgement system, and the ability to route traffic between IPv4 and IPv6 “islands” without the benefit of a traditional Layer 3 device or router.
Incredibly, our payload window will not exceed 410 bytes.
Previous & Relevant Research:
Exploiting Persistent XSS & Unsanitized Injection vectors for Layer 2 bypass & “COOLHANDLUKE” Protocol Creation (HPE Procurve & Aruba Networks, Cisco / Dell / Netgear) – CYBIR – Cyber Security, Incident Response, & Digital Forensics
JNLP Parameter Injection Attacks to Remote, Persistent, Multi-OS Code Execution – (BIZARRELOVETRIANGLE, FULLCLIP, MOONAGEDAYDREAM) – CYBIR – Cyber Security, Incident Response, & Digital Forensics