A WarCon 2017 presentation: Cisco ASA - Exploiting the IKEv1 heap overflow - CVE-2016-1287
Exodus Intel released a proof of concept (POC) in early 2016, demonstrating how to obtain remote code execution on Cisco Adaptive Security Appliance (ASA) firewalls exposed to the internet.
The POC exploits a pre-authentication vulnerability in Internet Key Exchange (IKE) aka CVE-2016-1287 and is highly critical. The POC works on 32-bit ASA 9.2.4 and supports IKEv2 only.
Many of our clients have been interested in understanding the impact of this vulnerability. And, even though IKEv1 and 64-bit devices are known to be vulnerable to the same bug (as detailed in the Cisco advisory), there is nothing public about the exploitability of this vulnerability.
Below, you can download a presentation that I delivered at WarCon 2017. It details the vulnerable code in IKEv1, the heap feng shui involved and our methodology to exploit the bug on IKEv1 for both 32-bit and 64-bit. This research highlights the need to patch all Cisco ASA firewalls and to avoid rolling back to old protocols, such as IKEv1, to mitigate against the vulnerability.
I appreciate any feedback or questions, so please do not hesitate to contact me over email at cedric<dot>halbronn<@>nccgroup<anotherdot>trust or via twitter @saidelike.
Thank you to the Cisco Product Security Incident Response Team (PSIRT) for working with us prior to presentation & publication as well reviewing the slides and agreeing to the release.
Published date:  15 June 2017
Written by:  Cedric Halbronn