Monday, February 2, 2015

Cisco ASA version grabber (CVE-2014-3398)

Was catching up on blogs and re-reading some things and re-came across this blog post and Ruxcon slides
http://breenmachine.blogspot.com/2014/10/cisco-asa-ssl-vpn-backdoor-poc-cve-2014.html
https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf

While looking for some of the POCs I found this separate issue:

http://blog.spiderlabs.com/2014/04/privilege-escalation-vulnerability-in-cisco-asas-ssl-vpn.html

https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt

Demo Video
https://vimeo.com/93010946

Slide deck
https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat

The more important part of this was (for me) how to identify the vulnerable versions of ASAs

From the SpiderLabs post:

Cisco ASA administrators can remediate this vulnerability by applying the latest firmware for your appliance. Depending on the ASA model you will want to upgrade to at least version 8.2(5.48), 8.3(2.40), 8.4(7.15), 8.6(1.13), 8.7(1.11), 9.0(4.1), or 9.1(4.5).

 If you check out the Ruxcon slides (slide 75) you'll see that Alec discovered a version disclosure issue (CVE-2014-3398)



I couldn't find the nmap NSE referenced.

**UPDATE**
here it is: https://github.com/alec-stuart/BreakingBricks
**UPDATE**

aaaaannnd given that it's just a GET request, I wrote an auxiliary module to do this check:

https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/cisco_asa_version_leak.rb

Sample output

msf > use auxiliary/dev/webapp/cisco_asa_version_leak
msf auxiliary(cisco_asa_version_leak) > set VERBOSE true
VERBOSE => true
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host1
RHOSTS => vpn.host1
msf auxiliary(cisco_asa_version_leak) > run

[+] 1.1.1.1:443-ASA Version: 9.0(3)8
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host2
RHOSTS => vpn.host2
msf auxiliary(cisco_asa_version_leak) > run

[+] 2.2.2.2:443-ASA Version: 9.1(5)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host3
RHOSTS => vpn.host3
msf auxiliary(cisco_asa_version_leak) > run

[+] 3.3.3.3:443-ASA Version: 8.4(7)22
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host4
RHOSTS => vpn.host4
msf auxiliary(cisco_asa_version_leak) > run

[*] 4.4.4.4:443 Received 302 to https://129.78.208.25/+webvpn+/index.html (PATCHED)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


I also found this nmap script

http://nmap.org/nsedoc/scripts/http-cisco-anyconnect.html

but I checked against the above hosts and it didnt return any results :-/ so meh.


quick check just as a place to put it

curl -ssl -k  -v "https://1.2.3.4/CSCOSSLC/config-auth"

other fun

inurl:logon.html "CSCOE"

P.S.
the module to actually exploit the issue is in metasploit:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb

At some point I may try to just add the check to that module until then you have the above.

3 comments:

  1. So I released the warez at Kiwicon two months later. The link was in those slides.
    Anyway.. here you go:

    https://github.com/alec-stuart/BreakingBricks

    Alec

    ReplyDelete
  2. thanks alec, i'll update the post

    ReplyDelete
  3. inurl:logon.html "CSCOE"
    is nice 4 Shodan?

    ReplyDelete