In 2017, we released tools  and published a series of 8 blog posts  on Cisco ASA internals. This talk is about the journey of how we discovered a remote pre-authentication vulnerability in Cisco ASA firewalls in the AnyConnect service and how we exploited it to achieve remote code execution to obtain a Cisco shell. AnyConnect/WebVPN is generally enabled on the ASA external interface as it is the base for Cisco's implementation of their SSL-based VPN. It is used by both the clientless authentication via the browser and the Cisco AnyConnect standalone client. Our talk details the general architecture of the fuzzer used to find the double free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices. We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.Back to Open CFP
We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to firstname.lastname@example.org. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.
Some of the benefits of speaking at INFILTRATE are: