Cisco ASA Web VPN Vulnerabilities

`Trustwave's SpiderLabs Security Advisory TWSL2009-002:   
Cisco ASA Web VPN Multiple Vulnerabilities  
  
Published: 2009-06-24 Version: 1.0  
  
Vendor: Cisco Systems, Inc. (http://www.cisco.com)  
  
Versions affected: 8.0(4), 8.1.2, and 8.2.1  
  
Description: Cisco's Adaptive Security Appliance (ASA)  
provides a number of security related features, including  
"Web VPN" functionality that allows authenticated users to  
access a variety of content through a web interface. This  
includes other web content, FTP servers, and CIFS file  
servers.  
  
The web content is proxied by the ASA and rewritten so that  
any URLs in the web content are passed as query parameters  
sent to the ASA web interface. Where scripting content is  
present, the ASA places a JavaScript wrapper around the  
original webpage's Document Object Model (DOM), to prevent  
the webpage from accessing the ASA's DOM.  
  
Credit: David Byrne of Trustwave's SpiderLabs  
  
  
Finding 1: Post-Authentication Cross-Site Scripting  
CVE: CVE-2009-1201  
The ASA's DOM wrapper can be rewritten in a manner to allow  
Cross-Site Scripting (XSS) attacks. For example, the  
"csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes  
a call to a function referenced by "CSCO_WebVPN['process']".  
The result of this call is then used in an "eval" statement.  
  
function csco_wrap_js(str)  
{  
var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+  
"/+CSCOL+/cte.js></scr"+  
"ipt><script id=CSCO_GHOST src="+  
CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>";  
var js_mangled=CSCO_WebVPN['process']('js',str);  
ret+=CSCO_WebVPN['process']('html',eval(js_mangled));  
return ret;  
};  
  
To exploit this behavior, a malicious page can rewrite  
"CSCO_WebVPN['process']" with an attacker-defined function  
that will return an arbitrary value. The next time the  
"csco_wrap_js" function is called, the malicious code will  
be executed. Below is a proof of concept.  
  
<html><script>  
function a(b, c)  
{  
return "alert('Your VPN location:\\n\\n'+" +  
"document.location+'\\n\\n\\n\\n\\n" +  
"Your VPN cookie:\\n\\n'+document.cookie);";  
}  
CSCO_WebVPN['process'] = a;  
csco_wrap_js('');  
</script></html>  
  
Vendor Response:  
This vulnerability has been corrected in versions 8.0.4.34,  
and 8.1.2.25.  
Updated Cisco ASA software can be downloaded from:  
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT  
  
A vendor response will be posted at  
http://www.cisco.com/security This vulnerability is  
documented in Cisco Bug ID: CSCsy80694.  
  
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C  
Base: 4.3  
Temporal: 3.9  
  
  
Finding 2: HTML Rewriting Bypass  
CVE: CVE-2009-1202  
When a webpage is requested through the ASA's Web VPN, the  
targeted scheme and hostname is Rot13-encoded, then  
hex-encoded and placed in the ASA's URL. For example,  
"http://www.trustwave.com" is accessed by requesting the  
following ASA path:  
  
/+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+  
+/  
  
The HTML content of this request is obviously reformatted by  
the ASA, starting at the very beginning:  
  
<script id='CSCO_GHOST' src="/+webvpn+/toolbar.js">  
  
However, if the request URL is modified to change the  
initial hex value of "00" to "01", the HTML document is  
returned without any rewriting. This allows the pages  
scriptable content to run in the ASA's DOM, making  
Cross-Site Scripting trivial.  
  
Vendor Response:  
This vulnerability has been corrected in versions 8.0.4.34,  
and 8.1.2.25.  
Updated Cisco ASA software can be downloaded from:  
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT  
  
A vendor response will be posted at  
http://www.cisco.com/security  
This vulnerability is documented in Cisco Bug ID:  
CSCsy80705.  
  
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C  
Base: 4.3  
Temporal: 3.9  
  
  
Finding 3: Authentication Credential Theft  
CVE: CVE-2009-1203  
When a user accesses an FTP or CIFS destination using the  
Web VPN, the resulting URL is formatted in a similar manner  
as the web requests described above. The following URL  
attempts to connect to ftp.example.com; normally, it would  
be in an HTML frame within the Web VPN website.  
  
  
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763  
2e726b6e7a6379722e70627a  
  
The ASA first attempts to connect to the FTP server or CIFS  
share using anonymous credentials. If those fail, the user  
is prompted for login credentials. When viewed on its own  
(outside of a frame), the submission form gives no  
indication what it is for and is very similar in appearance  
to the Web VPN's primary login page. If the URL was sent to  
a user by an attacker, it is very possible that a user would  
assume that he needs to resubmit credentials to the Web VPN.  
The ASA would then forward the credentials to the attacker's  
FTP or CIFS server.  
  
Vendor Response:  
This vulnerability has been corrected in versions 8.0.4.34,  
and 8.1.2.25.  
Updated Cisco ASA software can be downloaded from:  
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT  
  
A vendor response will be posted at  
http://www.cisco.com/security  
This vulnerability is documented in Cisco Bug ID:  
CSCsy80709.  
  
CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C  
Base: 4.3  
Temporal: 3.9  
  
  
Vendor Communication Timeline:  
03/31/09 - Cisco notified of vulnerabilities  
06/24/09 - Cisco software updates released; Advisory  
released  
  
Remediation Steps: Install updated software from Cisco.  
  
  
Revision History: 1.0 Initial publication  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and  
subscription-based information security and payment card  
industry compliance management solutions to businesses and  
government entities throughout the world. For organizations  
faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with  
comprehensive solutions that include its flagship  
TrustKeeper compliance management software and other  
proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500  
businesses and large financial institutions to small and  
medium-sized retailers--manage compliance and secure their  
network infrastructure, data communications and critical  
information assets. Trustwave is headquartered in Chicago  
with offices throughout North America, South America,  
Europe, Africa, China and Australia. For more information,  
visit https://www.trustwave.com  
  
About Trustwave's SpiderLabs:  
SpiderLabs is the advance security team at Trustwave  
responsible for incident response and forensics, ethical  
hacking and application security tests for Trustwave's  
clients. SpiderLabs has responded to hundreds of security  
incidents, performed thousands of ethical hacking exercises  
and tested the security of hundreds of business applications  
for Fortune 500 organizations. For more information visit  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as  
is" without warranty of any kind. Trustwave disclaims all  
warranties, either express or implied, including the  
warranties of merchantability and fitness for a particular  
purpose. In no event shall Trustwave or its suppliers be  
liable for any damages whatsoever including direct,  
indirect, incidental, consequential, loss of business  
profits or special damages, even if Trustwave or its  
suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or  
limitation of liability for consequential or incidental  
damages so the foregoing limitation may not apply.  
  
`