U.S. Dept Of Defense: https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

Hi team , while testing i found a host ip https://█████████ which belong to DoD (██████████.mil) running web services interface of Cisco ASA/FTD and it is vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system.

Vulnerable IP : https://█████████
i did a whois search on it and it confirmed it belongs to DoD as you seen below

████

Steps to Reproduce

go to https://████

█████

you will be redirected to SSL VPN service and you will see a web services interface of Cisco ASA/FTD. In above pic you can see the page we are looking at a web service which is vulnerable to CVE 2020-3187 and you can also see the certificate which indicates that this belongs to █████.mil.

Proof of Concept

Now we know that in CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD. This allow the attacker to view or delete arbitrary files on the targeted system
In this we can delete the files. For example the logo file present on the server at https://████/+CSCOU+/csco_logo.gif can be deleted by the following steps

This can be done by sending a curl request as : curl -H “Cookie: token=…/+CSCOU+/csco_logo.gif” https://target/+CSCOE+/session_password.html

1. To delete this just hit the following command on your terminals.

curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://█████/+CSCOE+/session_password.html

If that did not work because sometimes logo.gif/png has permission issues so try this “https://██████/+CSCOE+/blank.html”

2. You can also delete the file “/+CSCOE+/blank.html” (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files

After, this the files ( logo and blank html page ) will be deleted from the server, for better demonstration check out this video :

• https://video.twimg.com/ext_tw_video/1286808440271183873/pu/vid/1270x720/8tccA2VgHV9TDtW4.mp4

Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted.

Now i haven’t deleted the logo file because i didn’t wanted to cause any damage so i used another method which can help us confirming that target is vulnerable to this without causing damage and for that just check if “/+CSCOE+/session_password.html” endpoint exists, and it gives “200 OK” status, then it should be vulnerable because this affected endpoint has been removed from the patched versions.

I sent a curl request to check and it gave 200 ok as shown below:

█████

In a nutshell:

/+CSCOE+/session_password.html -> 200 = Vulnerable
/+CSCOE+/session_password.html -> 404 = Patched

because in patched versions this /+CSCOE+/session_password.html file is removed and you will not see it so if it is showing 200 ok then it is vulnerable as you have seen in above pic where it shows a 200 ok while curl request to

curl -kI https://█████/+CSCOE+/session_password.html

Mitigation/Remediation Actions

Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43

Reference

https://twitter.com/aboul3la/status/1286809567989575685
https://medium.com/@parasarora06/hunting-for-cve-2020-3187-2020-3452-9f0dcc66f4d8
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html

Impact

High - This vulnerability allows the attacker to delete files within the web services file system.