A coworker and I recently had the opportunity to work with a new vulnerability released at Ruxcon just earlier this month and while we didn't get exactly what we wanted, it was quite interesting.
The conference presentation was titled "Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure" https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf and was EXTREMELY interesting. The researcher Alec Stuart-Muirk managed the "jailbreak" the ASA and from there do some cool things with it, including a code audit of the publicly facing SSL VPN interface.
One thing that come out during the code audit was that the authorization check on some of the administrative interface pages can be bypassed by setting the cookie value to any valid file on the file system. I'm not going to get into too much detail because the slides cover it well, but basically this allows you to make modifications to the SSL VPN page WITHOUT AUTHENTICATION. This vulnerability is CVE-2014-3393 and affected versions can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393. He also released a way to pull the version from a remote ASA - it's as simple as hitting the following URL: https://<IP ADDRESS>/CSCOSSLC/config-auth
As a penetration tester this is very interesting because it allows us to backdoor the SSL VPN, and easily intercept plaintext credentials. Even those using 2 factor authentication wouldn't be safe from such an attack as the attacker could immediately use the intercepted token to login.
We spotted the SSL VPN login page in the wild recently and decided to take a crack at this vulnerability. The first step was to get a test setup running - since none of us own an ASA we "acquired" a virtual one. There might be a VMWare image here with such a thing running a vulnerable version.
After that, we simply proxied and intercepted the target requests. Interestingly, we had to make some modifications to the PoC posted in the Ruxcon presentation to get it to work (remove the User-Agent header from the cedsave request), indicating minor version differences may require further testing to get running. After making the appropriate modifications to the target requests, as detailed in the Ruxcon presentation, we were successfully able to backdoor our SSL VPN without authentication! Really cool stuff!
For those who would like to try at home, I've uploaded a BURP state https://github.com/breenmachine/various with the required requests in the "Repeater" tab to save you from typing them. This was tested on version ASA 9.2(1) and probably will require modification for other versions. Simply configure your ASA, point BURP at it, and give it a shot.
If anyone gets this working on other versions of ASA, I'd like to hear about the necessary modifications.
EDIT:
For those without a copy of BURP Pro, these are the requests you'll need:
http://pastebin.com/D7H9CVPf
http://pastebin.com/iLGWDDEQ
The conference presentation was titled "Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure" https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf and was EXTREMELY interesting. The researcher Alec Stuart-Muirk managed the "jailbreak" the ASA and from there do some cool things with it, including a code audit of the publicly facing SSL VPN interface.
One thing that come out during the code audit was that the authorization check on some of the administrative interface pages can be bypassed by setting the cookie value to any valid file on the file system. I'm not going to get into too much detail because the slides cover it well, but basically this allows you to make modifications to the SSL VPN page WITHOUT AUTHENTICATION. This vulnerability is CVE-2014-3393 and affected versions can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393. He also released a way to pull the version from a remote ASA - it's as simple as hitting the following URL: https://<IP ADDRESS>/CSCOSSLC/config-auth
As a penetration tester this is very interesting because it allows us to backdoor the SSL VPN, and easily intercept plaintext credentials. Even those using 2 factor authentication wouldn't be safe from such an attack as the attacker could immediately use the intercepted token to login.
We spotted the SSL VPN login page in the wild recently and decided to take a crack at this vulnerability. The first step was to get a test setup running - since none of us own an ASA we "acquired" a virtual one. There might be a VMWare image here with such a thing running a vulnerable version.
After that, we simply proxied and intercepted the target requests. Interestingly, we had to make some modifications to the PoC posted in the Ruxcon presentation to get it to work (remove the User-Agent header from the cedsave request), indicating minor version differences may require further testing to get running. After making the appropriate modifications to the target requests, as detailed in the Ruxcon presentation, we were successfully able to backdoor our SSL VPN without authentication! Really cool stuff!
For those who would like to try at home, I've uploaded a BURP state https://github.com/breenmachine/various with the required requests in the "Repeater" tab to save you from typing them. This was tested on version ASA 9.2(1) and probably will require modification for other versions. Simply configure your ASA, point BURP at it, and give it a shot.
If anyone gets this working on other versions of ASA, I'd like to hear about the necessary modifications.
EDIT:
For those without a copy of BURP Pro, these are the requests you'll need:
http://pastebin.com/D7H9CVPf
http://pastebin.com/iLGWDDEQ
Thanks for sharing. Have you tried this PoC after a reboot under a no-admin-login-to-ASDM-IDM state? I found out that, after a reboot, the PoC would fail, and the response of the POST to /+CSCOE+/cedf.html was like this:
ReplyDeleteHTTP/1.1 200 OK
.......
top.close(); top.location.replace('/+CSCOE+/blank.html')
But after I logined to ASDM-IDM, the reponse of POST to /+CSCOE+/cedf.html with the same request would be like this, which was a sign of success:
HTTP/1.0 302 Object Moved
.......
Location: /+CSCOE+/cedlogon.html?obj=DfltCustomization&preview=logon&f=title&pf=logon
My test env was ASAv 9.2(1) running on VMWare, too.
Interesting! Good to know. I hadn't done very extensive testing, so I hadn't seen that situation.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteWould be interested to see if 9.1(1) is vulnerable.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteif you need more informations about ssl and how to secure your personal information's while using the internet please check this link
ReplyDeletehttp://www.openvpnandroid.com/ssl-vpn/
If you need more information about VPN services,check this link.
ReplyDeletetop10-bestvpn.com
Thanks.Awesome article about VPN backdoor.
ReplyDeleteNice VPN services.
10webhostingservice
Quite informative post if you need more information about VPN look at this link www.fastvpnservice.com
ReplyDeleteThanx for sharing....
ReplyDeleteAgra red sandstone
Interested in choosing the right VPN for you? Read the reviews first! On vpnhive.com you can find detailed reviews of the best VPN providers out there.
ReplyDeleteThankful to you an extraordinary arrangement for giving individuals a to a great degree bewildering believability to examine fundamental overviews from this site.
ReplyDeleteBest vpn
Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work.
ReplyDeleteBitcoin VPN
High-end VPN systems normally offer a variety of secured VPN protocols. Before you sign up for one, you need to look for the protocol that supports a number of different devices, including L2TP/IPsec and PPTP. John
ReplyDeleteWhereas if you are using a free VPN account you can generally use only a small amount of data. why a vpn
ReplyDeleteThis is the best blog i have seen about the vpn. Keep up the excellent work.I am really impressed.
ReplyDeleteget vpn
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have.
ReplyDeletehttps://bestcheapvpn.com/hidemyass-vpn-review-comparison/
What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much.
ReplyDeletebuy vpn online with credit card
kaya bat hai bhai chak de fate Stockx discount Code
ReplyDeleteBerita Terupdate SeIndonesia
ReplyDeleteBerita Keren
If you are looking for VPN service and want to purchase it with Discount you can use Promo Codes that can give you 20% discount.
ReplyDeleteI have Used VPN Coupon Codes to get 10% discount on purchase of VPN service.
ReplyDeleteI have recently Purchased VPN Premium service with 20% discount, if you are planing to buy service and want to get discount you can use Promo Code from this website.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteusing VPN from last three months its excellent with best features. Also I recommend others to buy it because it gives best VPN Service
ReplyDeleteThanks for sharing this useful info.. nord vpn free trial
ReplyDeletefintech sandpit
ReplyDeleteWelcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.
to get more - https://www.fintechsandpit.com/
fintech data workbench
ReplyDeleteWelcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.
to get more - https://www.fintechsandpit.com/
fintech data workbench
ReplyDeleteWelcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.
to get more - https://www.fintechsandpit.com/
Very significant Information for us, I have think the representation of this Information is actually superb one. This is my first visit to your site. Fast VPN Server UK
ReplyDelete