http://breenmachine.blogspot.com/2014/10/cisco-asa-ssl-vpn-backdoor-poc-cve-2014.html
https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf
While looking for some of the POCs I found this separate issue:
http://blog.spiderlabs.com/2014/04/privilege-escalation-vulnerability-in-cisco-asas-ssl-vpn.html
https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt
Demo Video
https://vimeo.com/93010946
Slide deck
https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat
The more important part of this was (for me) how to identify the vulnerable versions of ASAs
From the SpiderLabs post:
Cisco ASA administrators can remediate this vulnerability by applying the latest firmware for your appliance. Depending on the ASA model you will want to upgrade to at least version 8.2(5.48), 8.3(2.40), 8.4(7.15), 8.6(1.13), 8.7(1.11), 9.0(4.1), or 9.1(4.5).
If you check out the Ruxcon slides (slide 75) you'll see that Alec discovered a version disclosure issue (CVE-2014-3398)
I couldn't find the nmap NSE referenced.
**UPDATE**
here it is: https://github.com/alec-stuart/BreakingBricks
**UPDATE**
aaaaannnd given that it's just a GET request, I wrote an auxiliary module to do this check:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/cisco_asa_version_leak.rb
Sample output
msf > use auxiliary/dev/webapp/cisco_asa_version_leak
msf auxiliary(cisco_asa_version_leak) > set VERBOSE true
VERBOSE => true
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host1
RHOSTS => vpn.host1
msf auxiliary(cisco_asa_version_leak) > run
[+] 1.1.1.1:443-ASA Version: 9.0(3)8
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host2
RHOSTS => vpn.host2
msf auxiliary(cisco_asa_version_leak) > run
[+] 2.2.2.2:443-ASA Version: 9.1(5)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host3
RHOSTS => vpn.host3
msf auxiliary(cisco_asa_version_leak) > run
[+] 3.3.3.3:443-ASA Version: 8.4(7)22
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host4
RHOSTS => vpn.host4
msf auxiliary(cisco_asa_version_leak) > run
[*] 4.4.4.4:443 Received 302 to https://129.78.208.25/+webvpn+/index.html (PATCHED)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
I also found this nmap script
http://nmap.org/nsedoc/scripts/http-cisco-anyconnect.html
but I checked against the above hosts and it didnt return any results :-/ so meh.
quick check just as a place to put it
curl -ssl -k -v "https://1.2.3.4/CSCOSSLC/config-auth"
other fun
inurl:logon.html "CSCOE"
P.S.
the module to actually exploit the issue is in metasploit:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb
At some point I may try to just add the check to that module until then you have the above.
So I released the warez at Kiwicon two months later. The link was in those slides.
ReplyDeleteAnyway.. here you go:
https://github.com/alec-stuart/BreakingBricks
Alec
thanks alec, i'll update the post
ReplyDeleteinurl:logon.html "CSCOE"
ReplyDeleteis nice 4 Shodan?