TUCoPS :: HP Unsorted T :: bt-21216.htm

Trustwave's SpiderLabs Security Advisory TWSL2009-002
Trustwave's SpiderLabs Security Advisory TWSL2009-002
Trustwave's SpiderLabs Security Advisory TWSL2009-002

Trustwave's SpiderLabs Security Advisory TWSL2009-002: 
Cisco ASA Web VPN Multiple Vulnerabilities

Published: 2009-06-24 Version: 1.0

Vendor: Cisco Systems, Inc. (http://www.cisco.com) 

Versions affected: 8.0(4), 8.1.2, and 8.2.1

Description: Cisco's Adaptive Security Appliance (ASA)
provides a number of security related features, including
"Web VPN" functionality that allows authenticated users to
access a variety of content through a web interface. This
includes other web content, FTP servers, and CIFS file

The web content is proxied by the ASA and rewritten so that
any URLs in the web content are passed as query parameters
sent to the ASA web interface. Where scripting content is
present, the ASA places a JavaScript wrapper around the
original webpage's Document Object Model (DOM), to prevent
the webpage from accessing the ASA's DOM.

Credit: David Byrne of Trustwave's SpiderLabs

Finding 1: Post-Authentication Cross-Site Scripting
CVE: CVE-2009-1201
The ASA's DOM wrapper can be rewritten in a manner to allow
Cross-Site Scripting (XSS) attacks. For example, the
"csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes
a call to a function referenced by "CSCO_WebVPN['process']".
The result of this call is then used in an "eval" statement.

function csco_wrap_js(str)
   var ret="

Vendor Response:
This vulnerability has been corrected in versions,
Updated Cisco ASA software can be downloaded from:

A vendor response will be posted at
http://www.cisco.com/security This vulnerability is 
documented in Cisco Bug ID:  CSCsy80694.

Base: 4.3
Temporal: 3.9

Finding 2: HTML Rewriting Bypass
CVE: CVE-2009-1202
When a webpage is requested through the ASA's Web VPN, the
targeted scheme and hostname is Rot13-encoded, then
hex-encoded and placed in the ASA's URL. For example,
"http://www.trustwave.com" is accessed by requesting the 
following ASA path:

The HTML content of this request is obviously reformatted by
the ASA, starting at the very beginning: