Researchers at Silent Signal in Hungary yesterday tweeted they had ported the EXTRABACON attack to ASA version 9.2(4), which was released a year ago.
— SilentSignal (@SilentSignalHU) August 23, 2016
“It’s a ”90s style’ exploit—many CTF (capture the flag) challenges are harder than exploiting ASA,” researcher and cofounder Balint Varga-Perke told Threatpost.
EXTRABACON was analyzed shortly following the ShadowBrokers’ data dump and dubious auction by a researcher known as Xorcat, who confirmed that the Equation Group exploit for version 8.4(4) of the firewall appliance did indeed provide remote unauthenticated access over SSH or telnet.
The attack was included in a 300 MB file download made freely available by the ShadowBrokers that also included exploits, implants and other attacks against Juniper, WatchGuard, Topsec and Fortinet firewalls and networking gear. Researchers at Kaspersky Lab and elsewhere have already confirmed a “strong connection” between the ShadowBrokers dump and previously known Equation Group implants and exploits.
Varga-Perke confirmed what Cisco and others warned, that the attacks could eventually be modified to target any version.
“We analyzed the leaked exploit and compared the shellcode for different versions. Then we started to test the exploit in our lab while comparing the firmware binaries of supported and unsupported versions,” Varga-Perke said. “The main task (apart of setting up the test environment) was mainly to map the targeted code parts of the supported binary to the unsupported one, understand and fix up the leaked shellcode.”
Cisco’s Omar Santos confirmed that EXTRABACON exploits a buffer overflow vulnerability, CVE-2016-6366, in the SNMP implementation in ASA, as well as in Cisco PIX and Cisco Firewall Services Module. Santos said that an attacker could craft and send SNMP packets to the service in order to exploit the flaw; SNMP must be configured and enabled in the interface receiving the packets, however, he said.
“Crafted SNMP traffic coming from any other interface (outside or inside) cannot trigger this vulnerability,” Santos said, adding that an attacker must already know the SNMP community string. All ASA releases are affected and susceptible to remote code execution, Santos said. Cisco has yet to patch this vulnerability, but did release IPS and Snort detection signatures. Santos said a Cisco test using an exploit against ASA 5506 appliance running 9.4(1) crashed the box.
“Many say that the risk of this attack is limited because the vulnerable interfaces should only be accessible from the management zone of a network. But in many times this is not the case and we also have to think about attackers already inside a network,” Varga-Perke said. “Since we are talking about embedded systems, upgrading can also be non-trivial and there are no good tools available to detect a firewall compromise. This creates an optimal opportunity for persistence.
“Based on the above we expect that this exploit will be a tool of choice in the following years for attackers (and pentesters like us),” he said.
The ShadowBrokers data dump happened more than a week ago, when the group claimed to have hacked the Equation Group, which is widely believed to be connected to the NSA. Equation Group is considered to be atop the APT food chain and possesses a wide array of zero-day exploits and attacks against firmware and air-gapped machines used in cyberespionage campaigns worldwide.
“Pro Python coders may find more “beautiful” solutions for some tasks, but that doesn’t really matter. The exploit works like charm and it was really easy to understand and extend it,” Varga-Perke said. “It’s also noteworthy that the exploit relies on a “mini-framework” that takes care of user friendliness and logging among other things. This is something that you rarely see in hobbyists work.”