首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
The Cisco ASA Web VPN versions 8.0(4), 8.1.2, and 8.2.1 suffer from cross site s
来源:http://www.trustwave.com/ 作者:trustwave 发布时间:2009-06-25  
Trustwave's SpiderLabs Security Advisory TWSL2009-002: 
Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com)

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
"Web VPN" functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file
servers.

The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
present, the ASA places a JavaScript wrapper around the
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.

Credit: David Byrne of Trustwave's SpiderLabs


Finding 1: Post-Authentication Cross-Site Scripting
CVE: CVE-2009-1201
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
"csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes
a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.

function csco_wrap_js(str)
{
   var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
           "/+CSCOL+/cte.js></scr"+
           "ipt><script id=CSCO_GHOST src="+
           CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";
   var js_mangled=CSCO_WebVPN['process']('js',str);
   ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
   return ret;
};

To exploit this behavior, a malicious page can rewrite
"CSCO_WebVPN['process']" with an attacker-defined function
that will return an arbitrary value. The next time the
"csco_wrap_js" function is called, the malicious code will
be executed. Below is a proof of concept.

<html><script>
function a(b, c)
{
   return "alert('Your VPN location:\\n\\n'+" +
   "document.location+'\\n\\n\\n\\n\\n" +
   "Your VPN cookie:\\n\\n'+document.cookie);";
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security This vulnerability is
documented in Cisco Bug ID:  CSCsy80694.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 2: HTML Rewriting Bypass
CVE: CVE-2009-1202
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
"http://www.trustwave.com" is accessed by requesting the
following ASA path:
      
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+
+/

The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning:

      <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">

However, if the request URL is modified to change the
initial hex value of "00" to "01", the HTML document is
returned without any rewriting. This allows the pages
scriptable content to run in the ASA's DOM, making
Cross-Site Scripting trivial.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80705.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 3: Authentication Credential Theft
CVE: CVE-2009-1203
When a user accesses an FTP or CIFS destination using the
Web VPN, the resulting URL is formatted in a similar manner
as the web requests described above. The following URL
attempts to connect to ftp.example.com; normally, it would
be in an HTML frame within the Web VPN website.

      
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763
2e726b6e7a6379722e70627a

The ASA first attempts to connect to the FTP server or CIFS
share using anonymous credentials. If those fail, the user
is prompted for login credentials. When viewed on its own
(outside of a frame), the submission form gives no
indication what it is for and is very similar in appearance
to the Web VPN's primary login page. If the URL was sent to
a user by an attacker, it is very possible that a user would
assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's
FTP or CIFS server.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80709.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Vendor Communication Timeline:
03/31/09 - Cisco notified of vulnerabilities
06/24/09 - Cisco software updates released; Advisory
           released

Remediation Steps: Install updated software from Cisco.


Revision History: 1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and
subscription-based information security and payment card
industry compliance management solutions to businesses and
government entities throughout the world. For organizations
faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with
comprehensive solutions that include its flagship
TrustKeeper compliance management software and other
proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500
businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their
network infrastructure, data communications and critical
information 

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Data Protector 4.00-SP1b430
·HP Data Protector 4.00-SP1b430
·Zen Cart 1.3.8 Remote SQL Exec
·Zen Cart 1.3.8 Remote Code Exe
·Joomla Component com_pinboard
·linux/x86 Shellcode Polymorphi
·AlumniServer 1.0.1 (resetpwema
·Bopup Communications Server 3.
·MyBB <= 1.4.6 Remote Code Exec
·Multiple HTTP Server Low Bandw
·pmaPWN! - phpMyAdmin Code Inje
·Safari 3.2.3 Arbitrary Code Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved