SeasCoASA: Exploiting a Small Leak in a Great Ship

Cisco ASA is one of the most widely used firewall/VPN solutions for small to medium businesses – a unified threat management device combining several network security functions in one box.

A lot of research for Cisco ASA has been done in the last three years. Exodus Intel disclosed a heap overflow in IKE Cisco fragmentation(CVE-2016-1287) which was rewarded as best server-side bug in the Pwnie 2016. However, Exodus researchers were able to turn this vulnerability into an epic win base on a lack of non-executable memory and ASLR protections.

In 2017 The Shadow Brokers revealed the existence of two exploits against the ASA called EPICBANANA and EXTRABACON, and a code insertion implant called BANANAGLEE, all of which affect only ASA versions before 900. A security flaw in a WebVPN feature (CVE-2018-0101) was reported by Recon Brussels in 2018. The ASA Recon Brussels demonstrating in Recon 2018 is asa924 which lacks non-executable memory and ASLR protections. However, it has already become a trend that all protection mechanisms including ASLR, NX and PIE, enabled from version 9.5.3 which means that not any public exploit, as far as I know, remains available.

This presentation will disclose the detail of a new technique fighting against all protection mechanisms in the latest version of ASA.

Another problem pops: ASA system is so complicated that hundreds of “malloc” and “free” are called after a simple http request, which makes the heap exploit extremely unstable. This presentation will also cover a kind of heap fengshui skill to elevate the success rate to more than 90 percentages.

This presentation will disclose an 0day vulnerability affecting most major version of the Cisco ASA devices, as well as discuss a new kind of exploit technique which can remote code execute in the Cisco ASA with an authenticated user.

Location: Track 1 Date: May 9, 2019 Time: 5:30 pm - 6:30 pm Kaiyi Xu Lily Tang