PIX/ASA Finesse 7.1 & 7.2 Privilege Escalation

I was trying to get into admin mode without the enable password during a penetration test and i came across a post by Terry where he describes a designing flaw in the PIX/ASA Finesse Operation System, version 7.1 and 7.2. Well, it was possible to escalate a normal level 0 user to a level 15 privilege user. The exploit is simple and it only works locally, at the console and remotely with Telnet. However, do note that it will NOT work if SSH, TACACS or Radius is implemented in the firewall. Below are the steps.

1. Login with your user level 0 account. Once logon, you will be prompted to enter the enable password which is the privilege password.

2. At this prompt if you move your cursor forward with a space or character(it doesn't matter if there are more then one), and then proceed to delete any spaces or characters, by holding down the backspace a second after deleting the last character it should immediately drop you into level 15 privilege-exec mode.

It had been tested on PIX 515E, Finesse version 7.2 and i had also tested it on the PIX 525.

The Hacka Man