Cisco Clientless SSL VPN (Secure Desktop) can be misconfigured when disabling the portal toolbar. The Portal toolbar is independent from filtering the actual browser requests. This means that all URL's and plugins are by default allowed even if the administrator only chooses to publish a few bookmarks to key systems where users should have access. This may lead to the possibility of giving unintended access to other systems behind the ASA.
4eb5734d29ebe15392aa7223640755c5c16effc9c7c936299c63698ecdfb737e------------------------------------------------------------------ -- -
Cybercom Sweden AB Security Advisory CSESA-2010-8 info@cybercom.com
http://newsroom.cybercom.com/ George Hedfors
November 26, 2010
------------------------------------------------------------------ -- -
Vendor: Cisco Inc.
Product: Cisco ASA 5500 Clientless SSL VPN
Vulnerability: Weak URL encoding and dangerous default access policy
Problem type: remote
CVE id(s): N/A
Cisco Clientless SSL VPN (Secure Desktop) can be misconfigured when
disabling the portal toolbar. The Portal toolbar is independent from
filtering the actual browser requests.
This means that all URL's and plugins are by default allowed even if
the administrator only chooses to publish a few bookmarks to key
systems where users should have access. This may lead to the
possibility of giving unintended access to other systems behind the
ASA.
The URL is transliterated to permit encoding of the user URL's. This
URL is then transmitted inside an already established TLS session.
The URL encoding is however easily broken and altered in order to
specify alternative URL's that may be of interest.
Plugins for Telnet, SSH and remote desktop are also accessible using
static URLs that also are accessible unless they are disabled.
For SSH:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/ssh,telnet/index.html?target=telnet://x.y.z.w:22?csco_lang=en
For Telnet:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/ssh,telnet/index.html?target=telnet://x.y.z.w:22?csco_lang=en
For RDP:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/rdp/index.html?target=rdp://x.y.z.w/?geometry=1280x800&FullScreen=true&csco_lang=en
The URL obfuscation is done using the good old Caesar cipher, first
used around the year 56AD (according to Wikipedia) with an
overlaying HEX encoding.
Obfuscation example:
https://vpn.victim.com/+CSCO+00756767633A2F2F7A6E76792E69767067767A2E70627A2F726B70756E617472++/
^ ^ ^
uggc://znvy.ivpgvz.pbz/rkpunatr
^ ^ ^
http://mail.victim.com/exchange
Vendor recommendation:
Configure Assign the web ACL to any policies (group policies, dynamic
access policies, or both) that you have configured for clientless
access.
Please follow the guidelines posted in:
ASA Configuration Guide: Configuring Clientless SSL VPN
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/webvpn.html
Vulnerability report timeline:
8, October 2010 - Initial vulnerability submission
8, October 2010 - Vendor response
4, November 2010 - Vulnerability redefined
17, November 2010 - Vendor provides workaround and suggested mitigations
26, November 2010 - Advisory and workaround release
Cisco bug IDs:
CSCtk08440 ASDM: When portal toolbar is removed, ASDM should point to
WebACL config
CSCtk08633 ASA doc "url-entry" needs to include reference to WebACL
References:
http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/vpn_web.html#wp1072626
http://en.wikipedia.org/wiki/Caesar_cipher
Attached URL encode/decode tool (MIME):
IyEvdXNyL2Jpbi9wZXJsCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMKIyMgIENpc2NvIFNTTCBWUE4gVVJMIGVuY29kZXIvZGVjb2RlcgojIyAgYnkgZ2Vvcmdl
LmhlZGZvcnMgYXQgY3liZXJjb21ncm91cC5jb20KIyMKIwojIFNhbXBsZSBVUkw6CiMgaHR0cHM6
Ly92cG4udmljdGltLmNvbS8rQ1NDTyswMDc1Njc2NzYzM0EyRjJGN0E2RTc2NzkyRTY5NzY3MDY3
NzY3QTJFNzA2MjdBMkY3MjZCNzA3NTZFNjE3NDcyKysvCiMKIyBVc2UgdGhpcyBzY3JpcHQgdG8g
ZW5jb2RlL2RlY29kZSB0aGUgaGV4IGNodW5rIGFzIGFib3ZlCiMgRXhhbXBsZToKIyAuL2Npc2Nv
X3Zwbi5wbCBkIDAwNzU2NzY3NjMzQTJGMkY3QTZFNzY3OTJFNjk3NjcwNjc3NjdBMkU3MDYyN0Ey
RjcyNkI3MDc1NkU2MTc0NzIKIwoKbXkgJE9GRlNFVCA9IDEzOwoKbXkgJElOU1RSID0gJEFSR1Zb
MV07CgpteSAkYzsKbXkgJE9VVFNUUjsKCmlmKCRBUkdWWzBdIGVxICJlIikgewoJZm9yIChteSAk
aSA9IDA7ICRpIDwgbGVuZ3RoKCRJTlNUUik7ICRpKyspIHsKCQkkYyA9IG9yZChzdWJzdHIoJElO
U1RSLCAkaSwgMSkpOwoKCQlpZihjaHIoJGMpID1+IG0vW2Etel0vKSB7CgkJCSRjIC09ICRPRkZT
RVQ7CgkJCWlmICgkYyA8IDk3KSB7ICRjICs9IDI2IH0KCQl9IGVsc2lmKGNocigkYykgPX4gbS9b
QS1aXS8pIHsKCQkJJGMgLT0gJE9GRlNFVDsKCQkJaWYgKCRjIDwgNjUpIHsgJGMgKz0gMjYgfQoJ
CX0KCgkJJE9VVFNUUiAuPSBjaHIoJGMpOwoJCSRPVVRIRVggLj0gc3ByaW50ZigiJTAyWCIsICRj
KTsKCX0KCXByaW50ICRPVVRTVFIgLiAiXG4iIGlmICRBUkdWWzJdIGVxICItZCI7CglwcmludCAi
MDAiIC4gJE9VVEhFWCAuICJcbiI7Cn0gZWxzaWYoJEFSR1ZbMF0gZXEgImQiKSB7Cglmb3IgKG15
ICRpID0gMDsgJGkgPCBsZW5ndGgoJElOU1RSKTsgJGkrPTIpIHsKCQkkYyA9IGhleChzdWJzdHIo
JElOU1RSLCAkaSwgMikpOwoKCQlpZihjaHIoJGMpID1+IG0vW2Etel0vKSB7CgkJCSRjICs9ICRP
RkZTRVQ7CgkJCWlmICgkYyA+IDEyMikgeyAkYyAtPSAyNiB9CgkJfSBlbHNpZihjaHIoJGMpID1+
IG0vW0EtWl0vKSB7CgkJCSRjICs9ICRPRkZTRVQ7CgkJCWlmICgkYyA+IDkwKSB7ICRjIC09IDI2
IH0KCQl9CgoJCSRPVVRTVFIgLj0gY2hyKCRjKTsKCX0KCXByaW50ICRPVVRTVFIgLiAiXG4iOwp9
IGVsc2UgewoJcHJpbnQgU1RERVJSICJzeW50YXg6ICQwIGVcfGQgc3RyaW5nXHxoZXhcbiI7Cglw
cmludCBTVERFUlIgIlx0ZSAtIGVuY29kZSBzdHIgdG8gaGV4XG4iOwoJcHJpbnQgU1RERVJSICJc
dGQgLSBkZWNvZGUgaGV4IHRvIHN0clxuXG4iOwoJZXhpdCAtMTsKfQo=
------------------------------------------------------------------ -- -
George Hedfors
IT- & Information Security Consultant
Cybercom Sweden East AB
Lindhagensgatan 126 Box 30154 SE-104 25 Stockholm
Phone +46 8 726 75 00 Fax +46 8 19 33 22
PGP: 0x0A13FDB8/79A9 D843 B792 1EA3 B8C6
F792 D480 84DE 0A13 FDB8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed