In 2017, we released tools [1] and published a series of 8 blog posts [2] on Cisco ASA internals. This talk is about the journey of how we discovered a remote pre-authentication vulnerability in Cisco ASA firewalls in the AnyConnect service and how we exploited it to achieve remote code execution to obtain a Cisco shell.
AnyConnect/WebVPN is generally enabled on the ASA external interface as it is the base for Cisco's implementation of their SSL-based VPN. It is used by both the clientless authentication via the browser and the Cisco AnyConnect standalone client.
Our talk details the general architecture of the fuzzer used to find the double free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices. We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.
# References
* [1] https://github.com/nccgroup/asatools
* [2] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/
Cedric (@saidelike) has joined NCC Group's Exploit Development Group in 2015 and has been doing reverse engineering / exploit development for 8+ years. His current interests are memory corruption bugs in browsers, kernels, mobile devices, embedded devices, etc.
