The information has been provided by Trustwave Advisories.
The original article can be found at: https://www.trustwave.com/spiderLabs-advisories.php
* Cisco Adaptive Security Appliance version 8.2.1 and prior
* Cisco Adaptive Security Appliance version 220.127.116.11
Post-Authentication Cross-Site Scripting (CVE-2009-1201):
The result of this call is then used in an "eval" statement.
var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
"ipt><script id=CSCO_GHOST src="+
To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept.
function a(b, c)
return "alert('Your VPN location:\\n\\n'+" +
"Your VPN cookie:\\n\\n'+document.cookie);";
CSCO_WebVPN['process'] = a;
HTML Rewriting Bypass (CVE-2009-1202)
When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path:
The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning:
<script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">
However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial.
Authentication Credential Theft (CVE-2009-1203):
When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website.
The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's FTP or CIFS server.
Updated Cisco ASA software can be downloaded from:
03/31/09 - Cisco notified of vulnerabilities
06/24/09 - Cisco software updates released; Advisory released