By: Cedric Halbronn

Scheduled on: February 2 at 15:00

AnyConnect/WebVPN is generally enabled on the ASA external interface as it is the base for Cisco’s implementation of their SSL-based VPN. It is used by both the clientless authentication via the browser and the Cisco AnyConnect standalone client.

Our talk details the general architecture of the fuzzer used to find the double free vulnerability, our analysis of the bug, and how we exploited it. The fuzzing architecture could be used to fuzz other protocols found on Cisco devices. We also describe a generic way to leverage fragmented IKEv1 packets for both heap feng shui and for creating a write primitive. The AnyConnect vulnerability has been reported to Cisco which assigned a CVSS score of 10.0. They will release an advisory about it early 2018.