Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
The following information is in regards to Cisco's ASA SSL VPN Information Disclosure. It will explain, in no great detail, the result of altering the value of a single parameter, and the data returned by the server. (http://tools.cisco.com/security/center/viewAlert.x?alertId=35916)
(http://www.securityfocus.com/bid/70306)
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3392)
Please note that no Cisco ASA SSL VPN equipment is owned by the author, therefore, information concerning the vulnerability is limited to an external perspective.
When testing, the first request made on the login page, of the SSL VPN, was a false username/password combination. The result of the request was a url similar to the following:
https://example.com/+CSCOE+/logon.html?a0=88&a1=5468652061757468656E7469636174696F6E20736696365206973206F66666C696E652E&a2=&a3=1
In the response URL it was noted that the parameter a0 was configured to be a means of displaying login error messages:
As a second request, a hyphen was prepended to the value 88 which resulted in the following error:
https://example.com/+CSCOE+/logon.html?a0=-88
Noting that the error had no direct reference to the login form, additional values were tested to confirm that the server was in actuality displaying “random” information.
After submitting various negative values to the server, the following request appeared to disclose the SNMP MIB (1) version used on the server:
https://example.com/+CSCOE+/logon.html?a0=-99999
With confirmation that negative values were some how being interpreted by the server, an automated process was than used to cycle through negative values.
The vast majority of responses contained data that was not directly readable. However, some requests, such as the following, were clearly understood:
https://example.com/+CSCOE+/logon.html?a0=-21494
Additional information disclosed by the server contained various listings of endpoint.os.hotfix's as noted in the following screen shot:
https://example.com/+CSCOE+/logon.html?a0=-34894
It should be noted that with the exception of -99999 the same request could seldom be made twice. The random data being returned has been confirmed by Cisco (2) as being “random memory locations”.
Contained in various other requests were what appeared to be, vpn certificates, file content, and additional system command USAGE information.
Although the above information is limited, it hopefully shows the potential this issue has in regards to obtaining information from the vulnerable system(s).
*** UPDATE ***
There is now a shell script to test for this issue:
github.com/monsi/CRAM
References:
1. Appendix C - MIB Support (http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_apx_mib.pdf)
2. http://tools.cisco.com/security/center/viewAlert.x?alertId=35917
