Monday, October 27, 2014

Cisco ASA SSL VPN Backdoor PoC (CVE-2014-3393)

A coworker and I recently had the opportunity to work with a new vulnerability released at Ruxcon just earlier this month and while we didn't get exactly what we wanted, it was quite interesting.

The conference presentation was titled "Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure" https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf and was EXTREMELY interesting. The researcher Alec Stuart-Muirk managed the "jailbreak" the ASA and from there do some cool things with it, including a code audit of the publicly facing SSL VPN interface.

One thing that come out during the code audit was that the authorization check on some of the administrative interface pages can be bypassed by setting the cookie value to any valid file on the file system. I'm not going to get into too much detail because the slides cover it well, but basically this allows you to make modifications to the SSL VPN page WITHOUT AUTHENTICATION. This vulnerability is CVE-2014-3393 and affected versions can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393. He also released a way to pull the version from a remote ASA - it's as simple as hitting the following URL: https://<IP ADDRESS>/CSCOSSLC/config-auth

As a penetration tester this is very interesting because it allows us to backdoor the SSL VPN, and easily intercept plaintext credentials. Even those using 2 factor authentication wouldn't be safe from such an attack as the attacker could immediately use the intercepted token to login.

We spotted the SSL VPN login page in the wild recently and decided to take a crack at this vulnerability. The first step was to get a test setup running - since none of us own an ASA we "acquired" a virtual one. There might be a VMWare image here with such a thing running a vulnerable version.

After that, we simply proxied and intercepted the target requests. Interestingly, we had to make some modifications to the PoC posted in the Ruxcon presentation to get it to work (remove the User-Agent header from the cedsave request), indicating minor version differences may require further testing to get running. After making the appropriate modifications to the target requests, as detailed in the Ruxcon presentation, we were successfully able to backdoor our SSL VPN without authentication! Really cool stuff!

For those who would like to try at home, I've uploaded a BURP state https://github.com/breenmachine/various with the required requests in the "Repeater" tab to save you from typing them. This was tested on version ASA 9.2(1) and probably will require modification for other versions. Simply configure your ASA, point BURP at it, and give it a shot.

If anyone gets this working on other versions of ASA, I'd like to hear about the necessary modifications.

EDIT:
For those without a copy of BURP Pro, these are the requests you'll need:
http://pastebin.com/D7H9CVPf
http://pastebin.com/iLGWDDEQ





32 comments:

  1. Thanks for sharing. Have you tried this PoC after a reboot under a no-admin-login-to-ASDM-IDM state? I found out that, after a reboot, the PoC would fail, and the response of the POST to /+CSCOE+/cedf.html was like this:
    HTTP/1.1 200 OK
    .......
    top.close(); top.location.replace('/+CSCOE+/blank.html')

    But after I logined to ASDM-IDM, the reponse of POST to /+CSCOE+/cedf.html with the same request would be like this, which was a sign of success:
    HTTP/1.0 302 Object Moved
    .......
    Location: /+CSCOE+/cedlogon.html?obj=DfltCustomization&preview=logon&f=title&pf=logon

    My test env was ASAv 9.2(1) running on VMWare, too.

    ReplyDelete
  2. Interesting! Good to know. I hadn't done very extensive testing, so I hadn't seen that situation.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. Would be interested to see if 9.1(1) is vulnerable.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. if you need more informations about ssl and how to secure your personal information's while using the internet please check this link
    http://www.openvpnandroid.com/ssl-vpn/

    ReplyDelete
  9. If you need more information about VPN services,check this link.
    top10-bestvpn.com

    ReplyDelete
  10. Thanks.Awesome article about VPN backdoor.
    Nice VPN services.
    10webhostingservice

    ReplyDelete
  11. Quite informative post if you need more information about VPN look at this link www.fastvpnservice.com

    ReplyDelete
  12. Interested in choosing the right VPN for you? Read the reviews first! On vpnhive.com you can find detailed reviews of the best VPN providers out there.

    ReplyDelete
  13. Thankful to you an extraordinary arrangement for giving individuals a to a great degree bewildering believability to examine fundamental overviews from this site.
    Best vpn

    ReplyDelete
  14. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work.
    Bitcoin VPN

    ReplyDelete
  15. High-end VPN systems normally offer a variety of secured VPN protocols. Before you sign up for one, you need to look for the protocol that supports a number of different devices, including L2TP/IPsec and PPTP. John

    ReplyDelete
  16. Whereas if you are using a free VPN account you can generally use only a small amount of data. why a vpn

    ReplyDelete
  17. This is the best blog i have seen about the vpn. Keep up the excellent work.I am really impressed.

    get vpn

    ReplyDelete
  18. Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have.
    https://bestcheapvpn.com/hidemyass-vpn-review-comparison/

    ReplyDelete
  19. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much.
    buy vpn online with credit card

    ReplyDelete
  20. If you are looking for VPN service and want to purchase it with Discount you can use Promo Codes that can give you 20% discount.

    ReplyDelete
  21. I have Used VPN Coupon Codes to get 10% discount on purchase of VPN service.

    ReplyDelete
  22. I have recently Purchased VPN Premium service with 20% discount, if you are planing to buy service and want to get discount you can use Promo Code from this website.

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. using VPN from last three months its excellent with best features. Also I recommend others to buy it because it gives best VPN Service

    ReplyDelete
  25. fintech sandpit

    Welcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.


    to get more - https://www.fintechsandpit.com/

    ReplyDelete
  26. fintech data workbench

    Welcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.

    to get more - https://www.fintechsandpit.com/

    ReplyDelete
  27. fintech data workbench

    Welcome to Fintech Sandpit, We are the best Fintech innovation platform for financial services innovation. We provide a wide range of Fintech prototyping environment, Fintech data workbench, fin-tech marketplace, Fintech sandbox service.

    to get more - https://www.fintechsandpit.com/

    ReplyDelete
  28. Very significant Information for us, I have think the representation of this Information is actually superb one. This is my first visit to your site. Fast VPN Server UK

    ReplyDelete