Hello team,
I hope you’re doing well, healthy & wealthy.
I found an Arbitrary File Deletion (CVE-2020-3187) vulnerability on https://██████████/+CSCOE+/session_password.html that allows the Arbitrary File Deletion.
- https://twitter.com/aboul3la/status/1286809567989575685
- http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
Arbitrary File Deletion Reference:
https://video.twimg.com/ext_tw_video/1286808440271183873/pu/vid/1270x720/8tccA2VgHV9TDtW4.mp4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.10
cve-id: CVE-2020-3187
cwe-id: CWE-22
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system.
Best regards
@pirneci
█████
Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software
CVE-2020-3187
Here is the PoC. If you can see “webvpn:” cookie, then you can delete any arbitrary file. I didn’t do it. It’s enough to prove the vulnerability.
PoC
GET /+CSCOE+/session_password.html HTTP/1.1
Host: █████
Sec-Ch-Ua: "Chromium";v="97", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
████████
Please upgrade to the latest version.