Do Not Trust the ASA, Trojans

Explore new vulnerabilities affecting Cisco ASA and ASA-X firewalls in this Black Hat conference talk. Delve into the security implications of these widely deployed network infrastructure components, which are relied upon to protect internal networks from external threats. Discover how these firewalls have become targets for exploitation by advanced persistent threats (APTs) like the Equation Group. Learn about the Adaptive Security Device Manager (ASDM), its binary package format, and the CVE-2022-20829 vulnerability related to missing package verification. Gain insights into building and generating malicious ASDM binary packages, exploiting the expert command for root shell access, and understanding the implications of these vulnerabilities. Examine the FirePOWER module installation process, methods to access the boot image shell, and techniques for creating malicious install packages. This presentation provides valuable information for security professionals and network administrators concerned with protecting their organizations from potential firewall vulnerabilities and exploits.

Intro
Adaptive Security Appliance (ASA)
black hat Adaptive Security Device Manager (ASDM)
Understanding ASDM Starting ASDM Client Overview
ASDM Binary Package Format
Missing ASDM Package Verification (CVE-2022-20829)
Building Cisco ASDM Binary Packages
Generating Malicious ASDM Binary Packages
Malicious Cisco ASA
expert Command Yields Root Shell
An Attacker's Dream
Disable Root Shell via lockdown-sensor
ASDM Cannot Access the Root Shell
Metasploit ASDM Brute-Force Module
FirePOWER Module Installation
Drop to the FirePOWER Boot Image Shell
Metasploit FirePOWER Boot Image Root Shell Module
FirePOWER Module Unsigned Install Package
Create Malicious Install Packages