Cisco Adaptive Security Appliance

Cisco Adaptive Security Appliance (ASA)

CVE-2020-3452

# Validate with Metasploit
use auxiliary/scanner/http/cisco_directory_traversal

List of files from some light reverse engineering of a Cisco ASA device:

+CSCOCA+/ca_inc.lua
+CSCOCA+/crl/asa_ca.crl
+CSCOCA+/enroll.html
+CSCOCA+/login.html
+CSCOE+/041235123432C2
+CSCOE+/041235123432U2
+CSCOE+/app_index.html
+CSCOE+/appstart.js
+CSCOE+/appstatus
+CSCOE+/ask.html
+CSCOE+/auth.html
+CSCOE+/autosignon_api.js
+CSCOE+/blank.html
+CSCOE+/cedf.html
+CSCOE+/cedhelp.html
+CSCOE+/ced.html
+CSCOE+/cedlogon.html
+CSCOE+/cedmain.html
+CSCOE+/cedportal.html
+CSCOE+/cedsave.html
+CSCOE+/cert.html
+CSCOE+/color_picker.html
+CSCOE+/color_picker.js
+CSCOE+/common.js
+CSCOE+/commonspawn.js
+CSCOE+/display_bookmarks.lua
+CSCOE+/files/browse.html
+CSCOE+/files/domains_retr
+CSCOE+/files/file_action.html
+CSCOE+/files/files.js
+CSCOE+/files/files_retr
+CSCOE+/files/webfolder
+CSCOE+/files/wfolder
+CSCOE+/gp-gip.html
+CSCOE+/handler
+CSCOE+/help/webvpn_help
+CSCOE+/home/index.html
+CSCOE+/http_auth.html
+CSCOE+/include/browser_inc.lua
+CSCOE+/include/common.lua
+CSCOE+/include/plugin.lua
+CSCOE+/lced.html
+CSCOE+/load_bookmarks.lua
+CSCOE+/localization_inc.lua
+CSCOE+/logo.gif
+CSCOE+/logon_custom.css
+CSCOE+/logon_forms.js
+CSCOE+/logon.html
+CSCOE+/logon.html
+CSCOE+/logon_redirect.html
+CSCOE+/logout.html
+CSCOE+/message.html
+CSCOE+/noportal.html
+CSCOE+/nostcaccess.html
+CSCOE+/no_svc.html
+CSCOE+/ping.html
+CSCOE+/pluginlib.js
+CSCOE+/portal_ce.html
+CSCOE+/portal.css
+CSCOE+/portal_custom.css
+CSCOE+/portal_elements.html
+CSCOE+/portal_forms.js
+CSCOE+/portal.html
+CSCOE+/portal_inc.lua
+CSCOE+/portal.js
+CSCOE+/posturl.html
+CSCOE+/preview.html
+CSCOE+/relayjar.html
+CSCOE+/relaymonjar.html
+CSCOE+/relaymonocx.html
+CSCOE+/relayocx.html
+CSCOE+/running.conf
+CSCOE+/saml/sp/acs
+CSCOE+/saml/sp/login
+CSCOE+/saml/sp/metadata
+CSCOE+/save_capture.html
+CSCOE+/sdesktop/fail.html
+CSCOE+/sdesktop/logout.html
+CSCOE+/sdesktop/scan.xml
+CSCOE+/sdesktop/tokenrenew.xml
+CSCOE+/sdesktop/token.xml
+CSCOE+/sdesktop/wait.html
+CSCOE+/sdesktop/webstart.xml
+CSCOE+/session.js
+CSCOE+/session_password.html
+CSCOE+/sess_update.html
+CSCOE+/shshim
+CSCOE+/shshimdo_url
+CSCOE+/smart_tunnel_install.html
+CSCOE+/st_dl.json
+CSCOE+/svc.html
+CSCOE+/tlbr
+CSCOE+/tlbrportal_forms.js
+CSCOE+/tunnel_linux.jnlp
+CSCOE+/tunnel_mac.html
+CSCOE+/tunnel_mac.jnlp
+CSCOE+/useralert.html
+CSCOE+/user_dialog.html
+CSCOE+/win.js
+CSCOE+/wrong_url.html
+CSCOL+/cte_fallback.js
+CSCOL+/cte.js
+CSCOL+/relayparam.js
+CSCOL+/sw.js
+CSCOL+/xsl.js
CSCOSSLC/config-auth
+CSCOT+/oem-customization
+CSCOT+/translation
+CSCOT+/translation-table
+CSCOU+/anyconnect_unsupported_version.html
+CSCOU+/anyconnect_wrong_url.html
+CSCOU+/portal.css
+CSCOU+/sample.html
locale/manifest_data.lua

CVE-2020-3580

If you have compromised a valid users session to Cisco ASA you can recover plaintext credentials leveraging the following exploit:

PreviousCisco NextCisco Smart Install

Last updated 1 year ago

+CSCOCA+/ca_inc.lua +CSCOCA+/crl/asa_ca.crl +CSCOCA+/enroll.html +CSCOCA+/login.html +CSCOE+/041235123432C2 +CSCOE+/041235123432U2 +CSCOE+/app_index.html +CSCOE+/appstart.js +CSCOE+/appstatus +CSCOE+/ask.html +CSCOE+/auth.html +CSCOE+/autosignon_api.js +CSCOE+/blank.html +CSCOE+/cedf.html +CSCOE+/cedhelp.html +CSCOE+/ced.html +CSCOE+/cedlogon.html +CSCOE+/cedmain.html +CSCOE+/cedportal.html +CSCOE+/cedsave.html +CSCOE+/cert.html +CSCOE+/color_picker.html +CSCOE+/color_picker.js +CSCOE+/common.js +CSCOE+/commonspawn.js +CSCOE+/display_bookmarks.lua +CSCOE+/files/browse.html +CSCOE+/files/domains_retr +CSCOE+/files/file_action.html +CSCOE+/files/files.js +CSCOE+/files/files_retr +CSCOE+/files/webfolder +CSCOE+/files/wfolder +CSCOE+/gp-gip.html +CSCOE+/handler +CSCOE+/help/webvpn_help +CSCOE+/home/index.html +CSCOE+/http_auth.html +CSCOE+/include/browser_inc.lua +CSCOE+/include/common.lua +CSCOE+/include/plugin.lua +CSCOE+/lced.html +CSCOE+/load_bookmarks.lua +CSCOE+/localization_inc.lua +CSCOE+/logo.gif +CSCOE+/logon_custom.css +CSCOE+/logon_forms.js +CSCOE+/logon.html +CSCOE+/logon.html +CSCOE+/logon_redirect.html +CSCOE+/logout.html +CSCOE+/message.html +CSCOE+/noportal.html +CSCOE+/nostcaccess.html +CSCOE+/no_svc.html +CSCOE+/ping.html +CSCOE+/pluginlib.js +CSCOE+/portal_ce.html +CSCOE+/portal.css +CSCOE+/portal_custom.css +CSCOE+/portal_elements.html +CSCOE+/portal_forms.js +CSCOE+/portal.html +CSCOE+/portal_inc.lua +CSCOE+/portal.js +CSCOE+/posturl.html +CSCOE+/preview.html +CSCOE+/relayjar.html +CSCOE+/relaymonjar.html +CSCOE+/relaymonocx.html +CSCOE+/relayocx.html +CSCOE+/running.conf +CSCOE+/saml/sp/acs +CSCOE+/saml/sp/login +CSCOE+/saml/sp/metadata +CSCOE+/save_capture.html +CSCOE+/sdesktop/fail.html +CSCOE+/sdesktop/logout.html +CSCOE+/sdesktop/scan.xml +CSCOE+/sdesktop/tokenrenew.xml +CSCOE+/sdesktop/token.xml +CSCOE+/sdesktop/wait.html +CSCOE+/sdesktop/webstart.xml +CSCOE+/session.js +CSCOE+/session_password.html +CSCOE+/sess_update.html +CSCOE+/shshim +CSCOE+/shshimdo_url +CSCOE+/smart_tunnel_install.html +CSCOE+/st_dl.json +CSCOE+/svc.html +CSCOE+/tlbr +CSCOE+/tlbrportal_forms.js +CSCOE+/tunnel_linux.jnlp +CSCOE+/tunnel_mac.html +CSCOE+/tunnel_mac.jnlp +CSCOE+/useralert.html +CSCOE+/user_dialog.html +CSCOE+/win.js +CSCOE+/wrong_url.html +CSCOL+/cte_fallback.js +CSCOL+/cte.js +CSCOL+/relayparam.js +CSCOL+/sw.js +CSCOL+/xsl.js CSCOSSLC/config-auth +CSCOT+/oem-customization +CSCOT+/translation +CSCOT+/translation-table +CSCOU+/anyconnect_unsupported_version.html +CSCOU+/anyconnect_wrong_url.html +CSCOU+/portal.css +CSCOU+/sample.html locale/manifest_data.lua