Monday, October 27, 2014

Cisco ASA SSL VPN Backdoor PoC (CVE-2014-3393)

A coworker and I recently had the opportunity to work with a new vulnerability released at Ruxcon just earlier this month and while we didn't get exactly what we wanted, it was quite interesting.

The conference presentation was titled "Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure" https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf and was EXTREMELY interesting. The researcher Alec Stuart-Muirk managed the "jailbreak" the ASA and from there do some cool things with it, including a code audit of the publicly facing SSL VPN interface.

One thing that come out during the code audit was that the authorization check on some of the administrative interface pages can be bypassed by setting the cookie value to any valid file on the file system. I'm not going to get into too much detail because the slides cover it well, but basically this allows you to make modifications to the SSL VPN page WITHOUT AUTHENTICATION. This vulnerability is CVE-2014-3393 and affected versions can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393. He also released a way to pull the version from a remote ASA - it's as simple as hitting the following URL: https://<IP ADDRESS>/CSCOSSLC/config-auth

As a penetration tester this is very interesting because it allows us to backdoor the SSL VPN, and easily intercept plaintext credentials. Even those using 2 factor authentication wouldn't be safe from such an attack as the attacker could immediately use the intercepted token to login.

We spotted the SSL VPN login page in the wild recently and decided to take a crack at this vulnerability. The first step was to get a test setup running - since none of us own an ASA we "acquired" a virtual one. There might be a VMWare image here with such a thing running a vulnerable version.

After that, we simply proxied and intercepted the target requests. Interestingly, we had to make some modifications to the PoC posted in the Ruxcon presentation to get it to work (remove the User-Agent header from the cedsave request), indicating minor version differences may require further testing to get running. After making the appropriate modifications to the target requests, as detailed in the Ruxcon presentation, we were successfully able to backdoor our SSL VPN without authentication! Really cool stuff!

For those who would like to try at home, I've uploaded a BURP state https://github.com/breenmachine/various with the required requests in the "Repeater" tab to save you from typing them. This was tested on version ASA 9.2(1) and probably will require modification for other versions. Simply configure your ASA, point BURP at it, and give it a shot.

If anyone gets this working on other versions of ASA, I'd like to hear about the necessary modifications.

EDIT:
For those without a copy of BURP Pro, these are the requests you'll need:
http://pastebin.com/D7H9CVPf
http://pastebin.com/iLGWDDEQ





19 comments:

  1. Thanks for sharing. Have you tried this PoC after a reboot under a no-admin-login-to-ASDM-IDM state? I found out that, after a reboot, the PoC would fail, and the response of the POST to /+CSCOE+/cedf.html was like this:
    HTTP/1.1 200 OK
    .......
    top.close(); top.location.replace('/+CSCOE+/blank.html')

    But after I logined to ASDM-IDM, the reponse of POST to /+CSCOE+/cedf.html with the same request would be like this, which was a sign of success:
    HTTP/1.0 302 Object Moved
    .......
    Location: /+CSCOE+/cedlogon.html?obj=DfltCustomization&preview=logon&f=title&pf=logon

    My test env was ASAv 9.2(1) running on VMWare, too.

    ReplyDelete
  2. Interesting! Good to know. I hadn't done very extensive testing, so I hadn't seen that situation.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. Would be interested to see if 9.1(1) is vulnerable.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. if you need more informations about ssl and how to secure your personal information's while using the internet please check this link
    http://www.openvpnandroid.com/ssl-vpn/

    ReplyDelete
  9. If you need more information about VPN services,check this link.
    top10-bestvpn.com

    ReplyDelete
  10. Thanks.Awesome article about VPN backdoor.
    Nice VPN services.
    10webhostingservice

    ReplyDelete
  11. Quite informative post if you need more information about VPN look at this link www.fastvpnservice.com

    ReplyDelete
  12. Interested in choosing the right VPN for you? Read the reviews first! On vpnhive.com you can find detailed reviews of the best VPN providers out there.

    ReplyDelete
  13. Thankful to you an extraordinary arrangement for giving individuals a to a great degree bewildering believability to examine fundamental overviews from this site.
    Best vpn

    ReplyDelete
  14. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work.
    Bitcoin VPN

    ReplyDelete
  15. High-end VPN systems normally offer a variety of secured VPN protocols. Before you sign up for one, you need to look for the protocol that supports a number of different devices, including L2TP/IPsec and PPTP. John

    ReplyDelete
  16. Whereas if you are using a free VPN account you can generally use only a small amount of data. why a vpn

    ReplyDelete
  17. This is the best blog i have seen about the vpn. Keep up the excellent work.I am really impressed.

    get vpn

    ReplyDelete