Before explaining why, some disclosures may be in order: while I wasn't on this project with David or Jordan, I actually worked at Exodus Intelligence during the discovery of this vulnerability and the initial exploitation attempts. ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM) But if you have got.We attempted a module and stopped. I feel that this is far from the truth, and this article is a response to such notions.1 Cisco: , Asa 5505 Firmware, Asa 5510 and 22 more: : 7.8 HIGH: 7.5 HIGH: A vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software.
Cisco Asa 5505 Vulnerabilities Software Release FeelsRather, with the aforementioned questions and discussions in mind, I felt that more value would be had in using this as a teaching opportunity. Releasing a module now that could be used to compromise one's own personal device running an outdated software release feels like a wasted effort at best. Given enough time, I'm sure it would come about, but the bug is patched. Unfortunately, both he and I left Exodus before the disclosure of the bug, so I can't comment on the decision to release it in such a state.Since the initial disclosure, I've worked both with him and independently to find a fruitful memory disclosure, but to no avail. I'm positive that given more time, he would have found an information leak necessary to circumvent that.
Cisco Asa 5505 Vulnerabilities License Relatively CheapAny bugs you may eventually find could prove rather valuable. The ASA runs on a common architecture, can be had with a valid license relatively cheap, and requires no electronics knowledge to begin picking apart. I believe this is actually an extremely good way to get one's feet wet in the field. I did attempt getting it running inside of QEMU, but the amount of work required to succeed when all you want to do is debug is quite daunting, so I went with a physical device. The other options include possibly using the ASA virtual appliance (which I have not investigated at all), or virtualization of the system software via other means. Though other, cheaper options do exist, by far the easiest approach to this is purchasing an ASA. Cisco Asa 5505 Vulnerabilities Serial Console IsYou definitely want to eliminate any bottlenecks that you can before you begin. Debugging via the serial console is slow, and you'll likely be rebooting the device a lot. Google is your friend!On the hardware end, if you do end up getting an actual ASA, be sure to upgrade the RAM if it's operating with anything less than 256MB. Patches, scripts aimed at both packing and unpacking images, and hacked binaries exist for several older versions however, there was none available at the time of writing for the vulnerable release. For those of you so inclined, many Cisco certification seekers have formed a community centered around the effort to emulate the software within QEMU and GNS3. Lexia app for windows 10I feel that reverse engineering is often more about knowing what you need to ignore than trying to know everything one possibly can. This is not such a situation. I am all for rigorous academic discourses on various topics when the situation calls for it. As for the serial connection, I use and recommend Parallax's USB to RS-232 adapter Platform OverviewMy bookshelf is lined with tomes such as Compilers (the classic "dragon book"), Windows NT Device Driver Development, Inside OLE, and many other equally thick books. So far it has worked flawlessly. I myself decided to risk $12 on a 1GB PC-3200 184 pin DIMM from Fry's that looked as if a small animal had been using the packaging as a chew toy. The system boot sequence involves traversing through the BIOS, ROMMON (ROM Monitor, Cisco's bootstrap program available on this and other devices), GRUB, and off into Linux land which ends by loading the lina binary, which we will speak more of later. It has a removable CF card which contains the firmware image For our purposes, I believe the salient points that require focus are as follows: ![]() Assuming you have a copy of the vulnerable ASA firmware (asa924-k8.bin), open the file in your favorite hex editor. I recommend you also check out devttys0's excellent tool binwalk, as it can simplify much of the process for you.I had originally intended to extract and repack the firmware myself, but after bouncing around ideas with David Barksdale, he provided me with alternative, that being a zen-like, that's-so-stupid-why-didn't-i-think-of-that, offset. 'xxd', 'dd', a keen mind, and a little experience are all that are truly required. While I won't link them, they are worth investigating for educational purposes, as the same general approach can be used for reversing firmware for other devices. You should definitely check it out after reading this)As I mentioned earlier, shell scripts and techniques for unpacking and repacking the firmware exist online, albeit not publicly for version 9.2.4. (Alec's presentation is actually really, really good. The TFTP process is fairly simple and well documented in the product manuals, so there's no need to run out and buy one if you're lacking such.When you see “Use BREAK or ESC to interrupt boot”, do exactly as it says, and you should end up with something quite similar:From the ROMMON prompt, we can force the device to load our firmware by using boot disk0:/asa924-k8-hax.binHit enter and be patient. With the CF card mounted in the OS of your choice, you can simply copy the file to the top level directory. I had one laying around, so I went the card writer route. I wonder what would happen if we used a clever 1994 era trick and overwrite some of these options with something like: rdinit=/bin/sh_Save the file as something like asa924-k8-hax.binOnce we have our modified image, we can transfer it to our device using one of a few methods, such as via TFTP from the ROMMON interface, or writing it to the CF card. You should see something likeThis certainly looks relevant to our interests, almost like it might be Linux kernel boot parameters or something. ![]() There may be some other binaries I've overlooked, but lina is sufficiently large and complex enough to keep one busy for a long time.With the boot sequence hijacked, we need to find a way to cleanly start lina under gdbserver. At least in my experience, and apart from the WebVPN interface which I have not investigated, nearly all packet filtering, QoS, and protocol capabilities, among others, are handled by this process. Cisco has simplified this process for us by cramming nearly all functionality that makes an ASA more useful than a decked out Raspberry Pi into one place: the lina process. This is true save for one final hurdle. From here it follows that one should be able to debug the lina process by connecting gdb over the serial line. After executing the real init process with the last line, if everything went according to plan, you should soon see a screen such as this:Finally! You might think we're done at this point, and you wouldn't be foolish to assume so despite the fact that you'd be wrong.
0 Comments
Leave a Reply. |
AuthorVeronica ArchivesCategories |