Detailed analysis and reproduction of CVE-2014-3393

Detailed analysis and reproduction of CVE-2014-3393
0x00 vulnerability introduction:

Cisco Adaptive Security Appliance (ASA) Software has a Security vulnerability in the implementation of the custom Clientless ssl vpn entry framework. unauthenticated remote attackers can exploit this vulnerability to modify the Clientless ssl vpn entry content, this vulnerability may cause credential theft, cross-site scripting, and other attacks. This vulnerability is due to the failure to correctly implement the authentication check in the Custom framework of the Clientless ssl vpn entry.

0x01 vulnerability details:

The problem is summarized as excessive authority. You can set some titles and logos in the logon entry settings of Cisco VPN. However, these locations can be modified beyond the authority, and xss exists in these locations. For example:

This is where a local VPN is built and reproduced. This is the title at the vpn entrance, and the JS is inserted. So why? Let's take a look at a foreigner's article.

It once said:

Check on some of the administrative interface pages can be bypassed

Setting the cookie value to any valid file on the file system.

On some management interfaces, you can set the cookie value to an existing file on the file system to bypass logon. (English scum, translated to google)

The specific defect code is as follows:

Function CheckAsdmSession(cookie,no_redirect)……..Local f = io.open(‘asdm/’..cookie, “r”)If f ~= nil thenf:close()return true;end

This alone may be difficult to understand. Let's take a look at it using the detection method. In the previous connection, foreigners also gave such a post package (burpsuite.

We can see that the Cookie in the POST package is ced = .. /.. /locale/ru/LC_MESSAGES/webvpn.mo; if the vulnerability exists and can be exploited by the other party, the returned value is:

The http status code is 302. In this way, it indicates that the status code exists and can be exploited to cause an impact. Why do I have to say that there are still exist and cannot be affected? Not to mention, actually. At first, I thought that this vulnerability was so powerful that it would certainly have a wide range of results and I found that it was not the case after I reproduced it myself. There is a condition to take advantage of it:

The cookie value is also set. The content of the post package is the same, and the address is the same. Why is 200 returned this time? In the spirit of understanding the root cause, I carefully tested the VPN several times and recorded it one step. The key is that you must click the preview button on the Customization page of the Configuration tab on Cisco ASDM. If you have not clicked the preview button, versions with vulnerabilities cannot be exploited. For example:

Therefore, when you test a device with a vulnerability, you find that 200 is returned. In addition, after testing, we found that if the device has not been shut down and restarted, it can be used all the time. If the device has been shut down and restarted, we can only wait for the next preview button.

But I don't need to think of any weakness. Today, I wrote an exp with my friends to test (it is actually just a test). The tests are all famous foreign universities, it is found that 3-4 of 10 universities can be used.

After talking about how to detect the attack for such a long time, how should we reproduce the attack?

In this link, a foreigner gave a burpsuite package. We can reload the package to restore the status. After the package is restored, there will be four Repeater, we only need to change the host and target to the target, and then send packets in sequence!

More information has been written in PDF on Ruxcon2014.

Attachment video: CVE-2014-3393

Affected Versions:

cpe:/a:cisco:adaptive_security_appliance_software:8.2.0.45cpe:/a:cisco:adaptive_security_appliance_software:8.2.1cpe:/a:cisco:adaptive_security_appliance_software:8.2.1.1cpe:/a:cisco:adaptive_security_appliance_software:8.2.2cpe:/a:cisco:adaptive_security_appliance_software:8.2.2.10cpe:/a:cisco:adaptive_security_appliance_software:8.2.2.12cpe:/a:cisco:adaptive_security_appliance_software:8.2.2.16cpe:/a:cisco:adaptive_security_appliance_software:8.2.2.17cpe:/a:cisco:adaptive_security_appliance_software:8.2.3cpe:/a:cisco:adaptive_security_appliance_software:8.2.4cpe:/a:cisco:adaptive_security_appliance_software:8.2.4.1cpe:/a:cisco:adaptive_security_appliance_software:8.2.4.4cpe:/a:cisco:adaptive_security_appliance_software:8.2.5cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.13cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.22cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.26cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.33cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.40cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.41cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.46cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.48cpe:/a:cisco:adaptive_security_appliance_software:8.2.5.50cpe:/a:cisco:adaptive_security_appliance_software:8.3.1cpe:/a:cisco:adaptive_security_appliance_software:8.3.1.1cpe:/a:cisco:adaptive_security_appliance_software:8.3.1.4cpe:/a:cisco:adaptive_security_appliance_software:8.3.1.6cpe:/a:cisco:adaptive_security_appliance_software:8.3.2cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.13cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.23cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.25cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.31cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.33cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.34cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.37cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.39cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.4cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.40cpe:/a:cisco:adaptive_security_appliance_software:8.3.2.41cpe:/a:cisco:adaptive_security_appliance_software:8.4.1cpe:/a:cisco:adaptive_security_appliance_software:8.4.1.11cpe:/a:cisco:adaptive_security_appliance_software:8.4.1.3cpe:/a:cisco:adaptive_security_appliance_software:8.4.2.1cpe:/a:cisco:adaptive_security_appliance_software:8.4.2cpe:/a:cisco:adaptive_security_appliance_software:8.4.2.8cpe:/a:cisco:adaptive_security_appliance_software:8.4.3cpe:/a:cisco:adaptive_security_appliance_software:8.4.3.8cpe:/a:cisco:adaptive_security_appliance_software:8.4.3.9cpe:/a:cisco:adaptive_security_appliance_software:8.4.4cpe:/a:cisco:adaptive_security_appliance_software:8.4.4.1cpe:/a:cisco:adaptive_security_appliance_software:8.4.4.3cpe:/a:cisco:adaptive_security_appliance_software:8.4.4.5cpe:/a:cisco:adaptive_security_appliance_software:8.4.4.9cpe:/a:cisco:adaptive_security_appliance_software:8.4.5cpe:/a:cisco:adaptive_security_appliance_software:8.4.5.6cpe:/a:cisco:adaptive_security_appliance_software:8.4.6cpe:/a:cisco:adaptive_security_appliance_software:8.4.7cpe:/a:cisco:adaptive_security_appliance_software:8.4.7.3cpe:/a:cisco:adaptive_security_appliance_software:8.4.7.15cpe:/a:cisco:adaptive_security_appliance_software:8.4.7.22cpe:/a:cisco:adaptive_security_appliance_software:8.6.1cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.1cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.10cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.12cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.13cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.14cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.2cpe:/a:cisco:adaptive_security_appliance_software:8.6.1.5cpe:/a:cisco:adaptive_security_appliance_software:9.0.1cpe:/a:cisco:adaptive_security_appliance_software:9.0.2cpe:/a:cisco:adaptive_security_appliance_software:9.0.2.10cpe:/a:cisco:adaptive_security_appliance_software:9.0.3cpe:/a:cisco:adaptive_security_appliance_software:9.0.3.6cpe:/a:cisco:adaptive_security_appliance_software:9.0.3.8cpe:/a:cisco:adaptive_security_appliance_software:9.0.4cpe:/a:cisco:adaptive_security_appliance_software:9.0.4.1cpe:/a:cisco:adaptive_security_appliance_software:9.0.4.17cpe:/a:cisco:adaptive_security_appliance_software:9.0.4.20cpe:/a:cisco:adaptive_security_appliance_software:9.0.4.5cpe:/a:cisco:adaptive_security_appliance_software:9.0.4.7cpe:/a:cisco:adaptive_security_appliance_software:9.1..1cpe:/a:cisco:adaptive_security_appliance_software:9.1.1.4cpe:/a:cisco:adaptive_security_appliance_software:9.1.2cpe:/a:cisco:adaptive_security_appliance_software:9.1.2.8cpe:/a:cisco:adaptive_security_appliance_software:9.1.3cpe:/a:cisco:adaptive_security_appliance_software:9.1.3.2cpe:/a:cisco:adaptive_security_appliance_software:9.1.4cpe:/a:cisco:adaptive_security_appliance_software:9.1.5cpe:/a:cisco:adaptive_security_appliance_software:9.1.5.10cpe:/a:cisco:adaptive_security_appliance_software:9.1.5.15cpe:/a:cisco:adaptive_security_appliance_software:9.3.1

Solution: Cisco has released patch in October 8, 2014, connection: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

Https://github.com/breenmachine/various with burpsuite package