Professional Documents
Culture Documents
US 22 Baines Do Not Trust The ASA Trojans
US 22 Baines Do Not Trust The ASA Trojans
Jacob Baines
Lead Security Researcher, Rapid7
August 11, 2022
Introduction
Original ASA
3
ASAv Product Landing Page
Introduction
Sort of ASA
5
Introduction
6
Introduction
7
ASDM Product Landing Page
Understanding ASDM
Request pdm.sgz
pdm.sgz
Load and
execute SGZ
contents Admin session
8
Exploiting ASDM
9
Exploiting ASDM
10
Exploiting ASDM
11
Exploiting ASDM
github.com/jbaines-r7/getchoo
12
Exploiting ASDM
SGZ Client Logic Isn’t Verified (CVE-2021-1585)
13
Cisco ASDM RCE Vulnerability (CVE-2021-1585)
Exploiting ASDM
1. Administrator connects to
attacker using the ASDM client
14
Exploiting ASDM
CVE-2021-1585 Exploits
Exploitation
- Missing SSL verification (No CVE) plus
SGZ code not verified (CVE-2021-1585)
- Evil endpoint or Man in the Middle
CVE-2021-1585
Public Exploits
- staystaystay
- Metasploit module
github.com/jbaines-r7/staystaystay
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/cve_2021_1585
15
Crafting a Malicious ASDM Package
16
Crafting a Malicious ASDM Package
17
Crafting a Malicious ASDM Package
18
Crafting a Malicious ASDM Package
Description
File length
Hash
Filename
Filename
Header Filename Data offset
Data offset
Manifest Data offset Data length
Data length
Files Data length
Raw Data
19
Crafting a Malicious ASDM Package
Magic
Description
File length
Filename
Hash Filename
Header Filename Data offset
Data offset
Manifest Data offset Data length
Data length
Files Data length
Raw Data
20
Crafting a Malicious ASDM Package
Magic
Description
File length
Filename
Hash Filename
Header Filename Data offset
Data offset
Manifest Data offset Data length
Data length
Files Data length
Raw Data
21
Crafting a Malicious ASDM Package
Missing ASDM Package Verification (CVE-2022-20829)
22
Crafting a Malicious ASDM Package
23
Crafting a Malicious ASDM Package
24
Crafting a Malicious ASDM Package
25
Crafting a Malicious ASDM Package
The Way
- Parses and extracts ASDM packages
- Rebuilds ASDM packages
- Generates ASDM packages
CVE-2022-20829
github.com/jbaines-r7/theway
26
Crafting a Malicious ASDM Package
The Way
- Parses and extracts ASDM packages
- Rebuilds ASDM packages
- Generates ASDM packages
CVE-2022-20829
github.com/jbaines-r7/theway
27
Crafting a Malicious ASDM Package
Generating Malicious ASDM Binary Packages
The Way
- Parses and extracts ASDM packages
- Rebuilds ASDM packages
- Generates ASDM packages
CVE-2022-20829
github.com/jbaines-r7/theway
28
Crafting a Malicious ASDM Package
29
Crafting a Malicious ASDM Package
How To Get Malicious ASDM Package Installed?!
???
30
Crafting a Malicious ASDM Package
Supply Chain
31
Remotely Rooting the ASA-X FirePOWER Module
32
Remotely Rooting the ASA-X FirePOWER Module
33
Remotely Rooting the ASA-X FirePOWER Module
ASA-X with FirePOWER Services Explained
34
Recreation of Image Published by Cisco
Remotely Rooting the ASA-X FirePOWER Module
ASA-X with FirePOWER Services Explained
35
Remotely Rooting the ASA-X FirePOWER Module
Accessing the FirePOWER Module via Cisco CLI
The command to invoke
FirePOWER shell from
ASA CLI
The FirePOWER
shell requires a new
set of credentials
(admin:Admin123)
36
Remotely Rooting the ASA-X FirePOWER Module
37
Remotely Rooting the ASA-X FirePOWER Module
SSH Root Shell as a Feature
38
Remotely Rooting the ASA-X FirePOWER Module
An Attacker’s Dream
39
Remotely Rooting the ASA-X FirePOWER Module
40
Remotely Rooting the ASA-X FirePOWER Module
ASDM Can Talk to the FirePOWER Module
41
Remotely Rooting the ASA-X FirePOWER Module
42
Remotely Rooting the ASA-X FirePOWER Module
43
Remotely Rooting the ASA-X FirePOWER Module
44
Remotely Rooting the ASA-X FirePOWER Module
45
Remotely Rooting the ASA-X FirePOWER Module
46
Remotely Rooting the ASA-X FirePOWER Module
47
Remotely Rooting the ASA-X FirePOWER Module
48
Remotely Rooting the ASA-X FirePOWER Module
49
"ASDM Book 1" by Cisco
Remotely Rooting the ASA-X FirePOWER Module
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/cve_2022_20651
50
Remotely Rooting the ASA-X FirePOWER Module
HTTP Brute-Force Protection Disabled by Default
51
Remotely Rooting the ASA-X FirePOWER Module
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/asdm_bruteforce
52
Remotely Rooting the ASA-X FirePOWER Module
Exploitation
- Authenticated command injection over
HTTP or SSH to establish a root shell
within FirePOWER module VM.
CVE-2022-20828
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/cve_2022_20828
53
Getting Root With an ASA-X
FirePOWER Boot Image
54
Getting Root With an ASA-X FirePOWER Boot Image
FirePOWER Module Not Installed, What Do?
55
Getting Root With an ASA-X FirePOWER Boot Image
Get a Root Shell Using a FirePOWER Boot Image
56
Getting Root With an ASA-X FirePOWER Boot Image
2
57
ASA 5506-X with FirePOWER Services 6.2.3 Software Download
Getting Root With an ASA-X FirePOWER Boot Image
Install the FirePOWER Boot Image via Cisco CLI
58
Install and Configure a FirePOWER Services Module on an ASA Platform
Getting Root With an ASA-X FirePOWER Boot Image
59
Install and Configure a FirePOWER Services Module on an ASA Platform
Getting Root With an ASA-X FirePOWER Boot Image
FirePOWER Boot Image Shell
60
Getting Root With an ASA-X FirePOWER Boot Image
Boot Image Root Shell via Hard-Coded Creds
cisco123
61
Getting Root With an ASA-X FirePOWER Boot Image
We’re Back!
62
Getting Root With an ASA-X FirePOWER Boot Image
Metasploit FirePOWER Boot Image Root Shell Module
Exploitation
- Exploit hard-coded credential establish root
shell on ASA-X with FirePOWER Services.
Not a vulnerability
- Disclosed to vendor in March 2022
- Vendor states this is not a vulnerability
- Fixed in Boot Image 7.0+
- Unpatchable? No mechanism to stop loading
of old boot images.
Exploits
- Python script
- SSH Metasploit module
github.com/jbaines-r7/slowcheetah
github.com/jbaines-r7/cisco_asa_research/
tree/main/modules/boot_image_shell
63
Distributable Malicious
FirePOWER Boot Image for ASA-X
64
Distributable Malicious FirePOWER Boot Image for ASA-X
65
Distributable Malicious FirePOWER Boot Image for ASA-X
FirePOWER Boot Image Is… A Generic Bootable Linux ISO
66
Distributable Malicious FirePOWER Boot Image for ASA-X
67
Distributable Malicious FirePOWER Boot Image for ASA-X
Exploitation
- Create a Tiny Core Linux Bootable ISO
- Get Administrator to install it
- Sends a reverse shell to configured IP:port
Not a vulnerability
- No security expectations for the boot image.
- Doesn’t persist through reboots.
Features
- Reverse Shell
- SSH
- DOOM-ASCII
github.com/jbaines-r7/pinchme
68
Distributable Malicious FirePOWER Boot Image for ASA-X
Profit
69
Distributable Malicious
FirePOWER Install Package for
ASA-X
70
Distributable Malicious FirePOWER Install Package for ASA-X
2
71
Distributable Malicious FirePOWER Install Package for ASA-X
FirePOWER Boot Image Supports Signed Install Packages
72
Distributable Malicious FirePOWER Install Package for ASA-X
73
Distributable Malicious FirePOWER Install Package for ASA-X
FirePOWER Boot Image Supports Unsigned Install Packages
74
Distributable Malicious FirePOWER Install Package for ASA-X
75
Distributable Malicious FirePOWER Install Package for ASA-X
FirePOWER Module Unsigned Install Package
76
Distributable Malicious FirePOWER Install Package for ASA-X
Convert a Secure Package to an Insecure Package
77
Distributable Malicious FirePOWER Install Package for ASA-X
Exploitation
- Input valid and signed Cisco created
package. Output valid unsigned package
containing malicious code.
- Persistent payload. Survive reboots and
upgrades.
Not a vulnerability
github.com/jbaines-r7/whatsup
78
Distributable Malicious FirePOWER Install Package for ASA-X
Exploitation
- Input valid and signed Cisco created
package. Output valid unsigned package
containing malicious code.
- Persistent payload. Survive reboots and
upgrades.
Not a vulnerability
github.com/jbaines-r7/whatsup
79
Distributable Malicious FirePOWER Install Package for ASA-X
Back Again!
80
Distributable Malicious FirePOWER Install Package for ASA-X
81
Exploitation Summary
82
Indicators and Mitigations
83
Indicators and Mitigations
84
Indicators and Mitigations
YARA Rules
github.com/jbaines-r7/cisco_asa_research/blob/main/yara/
85
Indicators and Mitigations