Squashed commit of the following:

commit a78b6142449b71ccd1cd7061b5363f6882b2e00b Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:19:22 2014 -0400 fix indentation commit 5e61eba30f98343fb172687bd377acae6cb9e242 Merge: d446fa7 9696dd5 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:50 2014 -0400 Merge branch 'master' into anyconnect commit d446fa76181d97287604b48719dd3f714987b775 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:15:09 2014 -0400 Update CHANGELOG commit 1590b8a8598bfd06c767c31312dc56c8e306c556 Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:13:27 2014 -0400 update script.db commit 93eb927e21d3e3702da36668628b70c42f14f0db Author: Patrik Karlsson <patrik@cqure.net> Date: Sun May 25 21:09:51 2014 -0400 update anyconnect library to better capture version add missing libraries http-cisco-anyconnect.nse add new scripts to detect vulnerabilities cve2014-2126 through 2129 commit 92fecad07d340e60abbe502a4541d6e4f71af224 Author: Patrik Karlsson <patrik@cqure.net> Date: Sat May 24 09:09:14 2014 -0400 initial commit
2025-12-15 20:29:03 +00:00 · 2014-05-26 01:28:38 +00:00
parent 81b5ef8e99
commit c950dcb154
8 changed files with 537 additions and 0 deletions
--- a/scripts/http-vuln-cve2014-2128.nse
+++ b/scripts/http-vuln-cve2014-2128.nse
@@ -0,0 +1,82 @@
+local anyconnect = require('anyconnect')
+local stdnse = require('stdnse')
+local shortport = require('shortport')
+local vulns = require('vulns')
+local sslcert = require('sslcert')
+
+description = [[
+Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).
+]]
+
+---
+-- @usage
+-- nmap -p 443 --script http-vuln-cve2014-2127 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | http-vuln-cve2014-2128: 
+-- |   VULNERABLE:
+-- |   Cisco ASA SSL VPN Authentication Bypass Vulnerability
+-- |     State: VULNERABLE
+-- |     Risk factor: Medium  CVSSv2: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)
+-- |     Description:
+-- |       The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
+-- |           
+-- |     References:
+-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
+-- |_      http://cvedetails.com/cve/2014-2128/
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = function(host, port)
+  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
+end
+
+action = function(host, port)
+  local vuln_table = {
+    title = "Cisco ASA SSL VPN Authentication Bypass Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "Medium",
+    scores = {
+      CVSSv2 = "5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)",
+    },
+    description = [[
+The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
+    ]],
+
+    references = {
+      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
+      'http://cvedetails.com/cve/2014-2128/'
+    }
+  }
+
+  local vuln_versions = {
+  	['8'] = {
+  		['2'] = 5.47,
+      ['3'] = 2.40,
+  		['4'] = 7.3,
+      ['6'] = 1.13,
+  		['7'] = 1.11,
+  	},
+  	['9'] = {
+  		['0'] = 3.8,
+  		['1'] = 3.2,
+  	},
+	}
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	local ac = anyconnect.Cisco.AnyConnect:new(host, port)
+	local status = ac:connect()
+	if status then
+  	local ver = ac:get_version()
+		if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
+			if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
+				vuln_table.state = vulns.STATE.VULN
+			end
+		end
+  end
+  return report:make_output(vuln_table)
+end