By Joseph Graham
The Cisco Adaptive Security Appliance is a firewall that was developed to supersede the PIX firewall. In 2016, the Shadow Brokers group leaked an exploit developed by the National Security Agency’s Tailored Access Operations group that exploits a vulnerability in Cisco’s implementation of the Simple Network Management Protocol. This post will talk about the vulnerability in question, and my attempts to port an improved version of the exploit to ASA version 9.1(6).
CVE-2016-6366 is a buffer overflow vulnerability found in the SNMP code used in the ASA which can result in a reload of the ASA, since the overflow will cause the ASA to crash, or result in remote code execution. This overflow appears to be in the portion of the code that reads in the MIB that is being requested by the user.
Figure 1 – The SNMP request sent when by the exploit.
This is a classic example of a buffer overflow vulnerability, and can easily be exploited due to the lack of modern security protections such as address space layout randomization (ASLR). Since this exploit uses specific addresses in the version of the ASA software in use, ASLR would have made this exploit more difficult to exploit.
Modifying the ASA for Debugging
By far the biggest challenge I ran into when working on this project was getting the ASA to expose a debugging interface. This is fortunately somewhat easier than attempting to expose the debugging interface for Cisco IOS, which requires the use of undocumented internal IOS commands, due to the inclusion of a function gdbserver with the ASA binary, as well as a small Busybox environment that is booted before the firewall software is booted.
This Busybox environment is entirely contained within the .bin image that the ASA operating system resides in. Using binwalk, one can easily find the archive that contains this Busybox filesystem:
Figure 2 – The contents of the ASA image for version 8.2(5).
The image used here is for ASA 8.2(5), but the format is similar for every version with slightly different offsets for where the filesystem archive begins. The rootfs.img archive can be extracted and modified to enable gdbserver before the firewall starts. Specifically, the etc/asa/scripts/rcS file needs to be modified to start lina_monitor with debugging activated on /dev/ttyS0, and etc/inittab needs to be modified so that nothing is output to the serial interface on startup. The script that I wrote to manage this, as well as the files used to backdoor the image, can be found at: https://www.maxconnection.org/jmg3484/net-audit-final. These scripts use /dev/ttyS0 for debugging due to the fact that the ASA only has one serial port on it. This causes an issue where debug messages are echoed out to the serial port while gdbserver is trying to listen for a connection from a remote GDB instance. These scripts will patch the ASA firmware to start the debug interface without stepping on the debug messages printed on startup.
Issues with Exploiting ASA 9.1(6)
In late 2016, Risksense improved upon the exploit leaked by the Shadow Brokers to use only 76 bytes of code. This exploit simply patches the password verification function used by the ASA to check passwords. I attempted to modify the exploit using return addresses found in the lina process, which runs the firewall itself, but found that the stack offsets were not aligned properly. I was unable to figure out what the issue was, as disassembly of the binary itself found that the addresses referenced in the exploit (which can also be found at the repo linked above) pointed to the instructions necessary to properly execute this exploit. Included below is the crashdump generated by the ASA when running this exploit:
Figure 3 – The crash dump generated by the ASA.