Skip to content

Cisco ASA Software and ASDM Security Research

License

Notifications You must be signed in to change notification settings

jbaines-r7/cisco_asa_research

Repository files navigation

Cisco ASA Research

This repository contains slides and code presented at Black Hat USA 2022 and DEF CON 30. The following can be found:

  • Slides
    • DEF CON 30 and Black Hat slide decks. The DEF CON deck is slightly longer due to a longer time slot.
  • theway - a tool for creating malicious/distributable ASDM packages for the Cisco ASA (CVE-2022-20829).
  • whatsup - a tool for creating malicious/distributable Cisco FirePOWER module installation packages (No CVE).
  • pinchme - a tool for creating malicious/distributable Cisco FirePOWER boot images (No CVE).
  • slowcheetah - a tool for uploading FirePOWER module boot images to Cisco ASA-X and catching reverse shells.
  • staystaystay - an exploit for CVE-2021-1585, an unath RCE vulnerability affecting Cisco ASDM.
  • asdm_version_scanner - a tool for scanning ASA ASDM web interfaces and collecting versions. The repository contains results from an internet scan conducted on June 17, 2022.
  • getchoo - a tool for extracting the contents of an ASDM sgz file.
  • modules/ (Metasploit):
    • An RCE module for CVE-2022-20828: Remote ASDM -> FirePOWER root.
    • An RCE module for CVE-2021-1585: Unauthenticated RCE affecting ASDM client.
    • An RCE module that installs a Cisco FirePOWER boot image, roots it, and grabs a meterpreter root shell (No CVE).
    • A PackRat post-exploitation module to extract credentials from ASDM client log files (CVE-2022-20651)
    • An ASDM (HTTP) brute-force authentication module.
    • A module for dumping the ASA running-config over ASDM (HTTP).
  • yara/ contains YARA rules to help identify malicious files or exploitation.
  • slides/ contains the slide decks presented at BH USA 2022 and DEF CON 30.