1. Network Switch Inception:
Going Deeper
K. Reid Wightman
Digital Bond Labs

2. Not a talk about Switch Vulns
• See Switches Get Stitches and related CVEs
• Real drivers for this talk:
– Cisco router rootkits
– Juniper VPN/router backdoors
– Cisco NX-OS backdoor
– Clearly, network infrastructure is both weak, and
under attack
– …so switch vulns, just how bad are they?

3. This is a talk about post-
exploitation
• We have a Layer 2 managed network switch.
• We hacked the switch!
• [[Insert underpants gnome sequence here]]
• But really: Now what?

4. The Victim

5. The Victim
• ARM9 CPU @ 200Mhz
• Some flash memory (oops, forgot pics)
• Some SRAM (oops, forgot pics)
• Marvel 88E6083 10-port switch chip
(10/100mbps)

6. The Exploit
• Directory Traversal, we root the switch, we
maintain access.
• Yawn.

7. Post-Exploitation
• You’ve got admin on a switch.
• Now what?

8. Post-Exploitation
• “Boring” attacks
– Disable network interfaces
– Disable mirror port
– Lock admins out
• Official story: Layer 2 switch is limited in
functionality
– Switching fabric is ‘just’ a packet-matching engine
– Sends packet to its destination port based on MAC
address
– (and disabling ports will get you noticed)

9. Lying Liar that Lies!

11. Unstitching Switch Chips
• Network switch chips controlled via ‘MDIO’
protocol
– Serial protocol for reading and writing configuration
registers in switch fabric
– Not much to it; OS+MCU will handle the gory details
• Network switch chip is ‘just’ a packet matching
engine
– But highly configurable
– VLAN Tagging and Port Mirroring are our downfall
– Most modern chips even do Layer 3/Routing!

12. A Little Background

13. Mo Money Mo Problems
• Dirty secret of all network switches: CPU Port
– Connected internally to save money (two less PHYs,
one less network cable for end user)
– Side Effect: CPU can both reconfigure switch fabric,
and eavesdrop on traffic
• This functionality prevented by firmware…
• …but we own the firmware now, so…
• …we can eavesdrop on traffic and reconfigure switch fabric
on-the-fly.
• L2 switches can all become Routers.
Who knew?

14. ET-9MS Details
• Need to learn which port on the case maps to
which port on the Marvell switch chip
• Two methods:
– Beep it out
– Read /etc/switch/swm.config
• Reading the config file is plenty easy:
– C0:9,C1:7,C2:6,C3:5,C4:4,C5:3,C6:2,C7:1,C8:0,C9:8
– So Port 0 (C0, as in ‘Case port 0 [which isn’t exposed
to the user]’) is our MCU interface

15. ET-9MS Details
• Next: need to learn how to interface with MDIO
interface
– Easy(ish): libswm.so shared library
– We will build our own application to use this library
– Sample header files in
http://github.com/reidmefirst/Sixnet-9MS/
– Crossbuild environment is kind of fun, recommend
ELDK 4.1 on Fedora Core 7

16. A slight diversion:
Reverse engineering SO files
• To compile our own code, we need a header file
for the proprietary ‘libswm’ library
– Shared libraries don’t contain hints about parameters
– Calling conventions change over time, so we’ll also
need a similar-era GCC/GLIBC/LD
– Sixnet promised to release an SDK for this switch, but
never did
– So, to IDA
• Easy example follows

17. Bumbling around with an API

18. Bumbling around with an API
• registerDump() takes one argument
– Apparently it’s a data structure
– Apparently it’s some kind of MDIO object that we have
to initialize
– Looks kinda like an mii_bus struct, but maybe with
some fields moved around?
– Wild Guess: ‘findSwm()’ function takes no
arguments, and returns a pointer to a weird struct…
• Maybe this is the same struct?
• Try it and find out

19. When in Doubt, void* it out
Test.c:
void* findSwm();
int registerDump(void* thing);
int main(){
void* thing = findSwm();
registerDump(thing);
}

20. Output
Global registers:
0x00: 0x0840 0x3000
0x01: 0x01a0 0x782d
… etc
• Compare to 8063 Datasheet
– Settings match what we expect for current Switch
Configuration!
– Let’s continue reverse engineering

21. Two critical functions
int mdio_read(void* thing,
int phyaddr,
int regnum);
int mdio_write(void* thing,
int phyaddr,
int regnum,
int value);

22. Enough with RE
• mdio_read() and mdio_write() are all we
need
• These allow us to read and write the switch
configuration registers
• We know enough to start hacking

23. Attack!
• Want to accomplish two goals:
– Fakemirror, to hide from IDS/NSM
– Filtering, to let us manipulate control and view
• Want to avoid using ‘chipisms’
– Switch chip in this switch (88e6083) is advanced
– Easy to turn the switch into a router
– Generic techniques are painful, but better

24. Normal Mirroring
Switch
Port1 Port2 CPUMirror
L2 LAN
PLC
IDS

25. Leverett Attack HOWTO
1) Find the port that the user is mirroring
2) Redirect the port to mirror to MCU
3) Sniff traffic on MCU
4) Decide if incoming packets should be seen on
mirror
5) If supposed to mirror:
– Temporarily enable mirror with MCU source port
– Send packet
– Disable MCU mirror MCU

26. Leverett Attack
Mirror redirect
Switch
Port1 Port2 CPUMirror
L2 LAN
PLC
IDS

27. Leverett Attack
Decide if packet should be seen
Switch
Port1 Port2 CPUMirror
L2 LAN
PLC
IDS

28. Leverett Attack
Retransmit (if appropriate)
Switch
Port1 Port2 CPUMirror
L2 LAN
PLC
IDS
Re-transmit Packet

29. ET-9MS specifics
• Not much extra code needed to pull this off!
• Sixnet kind enough to include libpcap 0.9.4 in
the switch firmware
– Just had to grab headers and add them to ELDK cross
compile environment
• Fully linked fakemirror binary is < 12kB

30. Leverett Attack
• Problem 1: DUPs
– DUPs go to Real Target
– (No DUPs to mirror though)
• Problem 2: Latency
– Switch is normally 0.6-1.2mS round-trip
– While under Leverett’s Power, mirror sees 2-5mS
round-trip (can reduce with kernel module)
• Problem 3: Mirroring ‘admin’ traffic
– If an admin logs in, the mirror may
accidentally see it, and the gig is up

31. Leverett Attack Code
• See that github address. Example code is
provided in ‘fakemirror.c’
• Quite reliable IDS/NSM evasion, provided you
compromise a network switch first!
• Bonus: Switch configuration GUI is files-based
and doesn’t poll the Switch Chip to find out if
config has changed.
– This means you get stealth for free!
– Other switches probably do the same thing.

33. Quick Survey
• Are you thinking about elephants?

34. Klein Attack

35. Klein Attack
• Mirroring is fun, but can we filter traffic?
– Modify data that is being sent across a network switch
– Inside the switch itself
– Without using ARP poisoning?
• (Because that is boring and dumb and noisy)
• (Besides, everybody does ARP poison detection right?)
• You can probably guess that the answer is YES.

36. Klein Attack
• Many ways to pull it off. Most generic:
• Mirror two target ports to switch MCU
• VLAN Tagging for the win
– Place target1 and target2 ports on separate VLANs
– Swap MCU switchport from target1 to target2 VLAN as
appropriate
– This works really well against ICS, because protocols
are poll-response
• We can preemptively switch VLANs to shave a little latency
• In hindsight, probably could do Leverett Attack in the same
way…

37. Klein Attack –
Both Ports Mirror to CPU
Switch
Target
Port1
CPU
Target
Port2
System1 System2
VLAN1 VLAN2

38. Klein Attack –
Receive mirrored packet
Switch
Target
Port1
CPU
Target
Port2
System1 System2
VLAN1 VLAN2
Mirrored Packet

39. Klein Attack –
Configure CPU to VLAN2
Switch
Target
Port1
CPU
Target
Port2
System1 System2
VLAN1 VLAN2
Modified Packet

40. Who is vulnerable?
• Any network switch without firmware signing
• And many that do have it
– …vendors love to sign the update during installation,
but never verify the sig with secure bootloader
– …this means that any bugs in the firmware could
result in a rooted switch
• Any network switch with ‘hidden’ CPU interface
– Basically: if you plug a network cable into a normal
switchport, and can load the web/ssh/telnet manager,
it has these issues

41. Takeaways
• L2 Switches at least as important as Routers for
data integrity
• Switch rootkits probably already exist for popular
switches
• Seldom are these devices patched
• Impossible to audit network switches without
destroying them
– We could in this case, but only by modifying the
firmware (which potentially destroys evidence)

42. FIN
Questions?
Twitters: @ReverseICS, @DigitalBondLabs
Emails: wightman@digitalbond.com
Internets: