Infiltrate Security Conference OPEN CFP

TALK PROFILE
This CFP closes in 2 days

Discovering & exploiting a Cisco ASA pre-auth RCE vulnerability

Exploit Development
45

In 2017, we released tools [1] and published a series of 8 blog posts [2] on Cisco ASA internals. This talk is about the journey of how we discovered a remote pre-authentication vulnerability in Cisco ASA firewalls in the AnyConnect service and how we exploited it to achieve remote code execution to obtain a Cisco shell. AnyConnect/WebVPN is generally enabled on the ASA external interface as it is the base for Cisco's implementation of their SSL-based VPN. It is used by both the clientless authentication via the browser and the Cisco AnyConnect standalone client. Our talk details the general architecture of the fuzzer used to find the double free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices. We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.

Back to Open CFP
Rated 3 - 61 reviewers

Comments

Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to cfp@immunityinc.com. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are:

  • A trip to Miami Beach during the non-gates-of-hell hot season
  • A stay at one of the premier luxury resorts in the area
  • A no-bullshit environment where you don't have to be apologetic about
  • Ability to participate in the 1st ever profit sharing conference