Exploiting Persistent XSS & Unsanitized Injection vectors for Layer 2 bypass & “COOLHANDLUKE” Protocol Creation (HPE Procurve & Aruba Networks, Cisco / Dell / Netgear)

“Every persistent XSS or unsanitized input vector on a Layer 2 or 3 Device is a covert network protocol waiting to happen.” – Ken “s1ngular1ty” Pyle

That is a bold statement to make and I am making it. Here is the first.

https://cybir.com/wp-content/uploads/2022/05/Layer7MattersAtLayer2-PoCForRelease.pdf

In the following paper, I put forth a simple exploit, “coolhandluke”, and use it to violate network segmentation / Layer 2 VLAN policies; routing & sending a file between isolated, air gapped networks without a router.

Test Equipment:

Aruba / HPE Procurve 2540 Switch – JL354a (Proof of Concept for YC.16.11.0003, Multiple Firmware & Devices)

Dell: VRTX & X Series Switches (Proof of Concept for for X1026p running 3.0.1.8)

Cisco: SMB (Sx, SF, SG, etc.), and others (Proof of Concept for Pre-Nov. 2021 Updates & Current Firmware)

The sample exploit (Aruba) is a 64 byte (less in application) unsanitized username / log poisoning vector via the Aruba OS / HPE Procurve switch. Via polyglot exploitation and “living off the land”; using easy to understand tools, scripts, and system native tools (Kali, Burp Suite),

I will provide Proof of Concept (PoC) for a simple sessionless file transfer protocol that bypasses all known network controls and lives in log files. In this implementation, the protocol is unencrypted or encrypted via HTTPS / SSH, operates via unauthenticated covert vectors, and on system controls do not provide adequate alerting.

The provided code & protocol violate Layer 2 / Layer 3 protocol segmentation and can be used to exfiltrate data or to implant & execute malicious code through methods which bypass firewalls, VLANs / network segmentation. This PoC is very primitive. I am showing file data delimiters, the ability to segment / reassemble files via multiple injections, and Python exploit code which allows for download of the files / exfiltrated data via any modern OS or platform. The bare minimum to “count” as a valid protocol.

This paper demonstrates the attack via ArubaOS / HPE switches. I have been performing this attack and have working PoC for many other switch, AP, and router families (Cisco / Dell / Netgear / D-Link / 3Com / Linksys / etc.) See Additional Information for further information.

My basic technique for polyglot code injection and multiplatform exploitation links directly back to this work: JNLP-Injection-and-Attacks-Release.pdf (cybir.com)

The connection is clear: JNLP is an exploitable protocol providing direct access to JAVA through this technique. The format is plaintext, HTTP/S based, and can be used as an additional persistence vector or as a botnet utilizing this protocol & technique.

Weaponizing this paper as a *fully fledged* stateful network protocol is simple and can be quickly implemented using JNLP. By piggybacking information stored in the targeted logs file or headers (ex. IP addresses, log numbers, other metadata, controllable space.), routing traffic to specific IPv4 or IPv6 addresses or tunneling between air gapped “islands” is possible. Data Encapsulation and the TCP/IP Protocol Stack (System Administration Guide, Volume 3) (oracle.com)