Cisco ASA Software Remote Authentication bypass vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201455339
Type myhack58
Reporter 佚名
Modified 2014-11-01T00:00:00


0x01 vulnerability profile

Cisco ASA Software part of the Management Interface authentication when there is validation logic problem, an attacker can bypass the authentication, the unauthorized operation.

0x02 vulnerability principles

! enter image description here

By default, the ASA management interface by basic auth+cookie for authentication, as shown below:

Vulnerability exists in the Configuration tab of the Customization page of the preview function. This page is used to modify the webvpn user login page. But the Preview of the management request processing logic of the lack of Basic Auth authentication, only through the validation cookies of effectiveness to be determined. But the Cookie validation logic on the existence of the problem, the Lua code is as follows:

Function CheckAsdmSession(cookie,no_redirect) to omit part of the code.. Local f = io. open(‘asdm/’..cookie, “r”) If f ~= nil then f:close() return true; end

As can be seen, in CheckAsdmSession function, only check the function of the cookies of the incoming file exists or not. By modifying the Cookie in the ced value is set for the device exists on the file, such asCed=../../locale/ru/LC_MESSAGES/webvpn. mo, you can achieve the bypass validation of the results.

[1] [2] next