Cisco ASA Software part of the Management Interface authentication when there is validation logic problem, an attacker can bypass the authentication, the unauthorized operation.
By default, the ASA management interface by basic auth+cookie for authentication, as shown below:
Vulnerability exists in the Configuration tab of the Customization page of the preview function. This page is used to modify the webvpn user login page. But the Preview of the management request processing logic of the lack of Basic Auth authentication, only through the validation cookies of effectiveness to be determined. But the Cookie validation logic on the existence of the problem, the Lua code is as follows:
Function CheckAsdmSession(cookie,no_redirect) to omit part of the code.. Local f = io. open(‘asdm/’..cookie, “r”) If f ~= nil then f:close() return true; end
As can be seen, in CheckAsdmSession function, only check the function of the cookies of the incoming file exists or not. By modifying the Cookie in the ced value is set for the device exists on the file, such as
Ced=../../locale/ru/LC_MESSAGES/webvpn. mo, you can achieve the bypass validation of the results.