Trustwave's SpiderLabs Security Advisory TWSL2009-002

2009-06-25T00:00:00
ID SECURITYVULNS:DOC:22078
Type securityvulns
Reporter Securityvulns
Modified 2009-06-25T00:00:00

Description

Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com)

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers.

The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM.

Credit: David Byrne of Trustwave's SpiderLabs

Finding 1: Post-Authentication Cross-Site Scripting CVE: CVE-2009-1201 The ASA's DOM wrapper can be rewritten in a manner to allow Cross-Site Scripting (XSS) attacks. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement.

function csco_wrap_js(str) { var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+ "/+CSCOL+/cte.js></scr"+ "ipt><script id=CSCO_GHOST src="+ CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>"; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; };

To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept.

<html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html>

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80694.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path:

/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/

The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning:

  &lt;script id=&#39;CSCO_GHOST&#39; src=&quot;/+webvpn+/toolbar.js&quot;&gt;

However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial.

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80705.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website.

/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a

The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server.

Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT

A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80709.

CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9

Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released

Remediation Steps: Install updated software from Cisco.

Revision History: 1.0 Initial publication

About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs

Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.