Skip to main content

Cisco DLSw Leakage Allows Retrieval of Packet Contents from Remote Routers

November 19, 2014

In early 2014, we, Tate Hansen and John McLeod, were on a mission, sent by our Pwnfather Patrick Fleming (who taught us everything we know, including things unmentionable in this post) to the dark corners of a secure environment deep within the massive infrastructure of one of the world’s most complex networks.

That’s where we discovered that several of their Cisco Routers had a listening TCP service on port 2067 that would emit information immediately upon establishing a connection.

We observed that the initial bytes always seemed to change when establishing new connections. Intrigued, we wrote a quick bash loop to continually connect and capture the output; then take the output and pipe it through UNIX strings.

Lo’ and behold, we started seeing strings like product names and point-of-sale data. After confirming the protocol as Data-Link Switching (DLSw), we narrowed the range of the interesting data to 54 bytes contained within a DLSw Control Message Header. The information leaked started at offset 18, the WireShark dissector labeled the fields in this range as “Not used” and “Old message type.”

To accelerate the collection of data, we used the following Ruby script:

What did this score for us? Gold. In particular, SNMP RW community strings. That plus account names, SQL query fragments, session cookie fragments, LDAP query fragments and much more.

Surprisingly this was publicly unknown, but in any case, Cisco was unaware of it until their public announcement on November 17, 2014 when they published Cisco IOS DLSw Information Disclosure Vulnerability.

Even though the CVSS score is 5.0, the vulnerability allows a remote and unauthenticated network attacker to retrieve the partial contents of packets traversing Cisco routers that are configured to run the DLSw protocol.

To download the tools to exploit this go to https://github.com/tatehansen/dlsw_exploit.

Related Blogs

October 28, 2013

Data Loss Prevention – The People & Technology | Optiv

Data Loss Prevention (DLP) as a competency has received its share of bad press. While the concept of a magic bullet solution to keep an organization’s...

See Details

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

November 19, 2014

Cisco DLSw Leakage Allows Retrieval of Packet Contents from Remote Routers

In early 2014, we, Tate Hansen and John McLeod, were on a mission, sent by our Pwnfather Patrick Fleming (who taught us everything we know, including ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.