Cisco VPN Concentrator – CRLF injection

Some of the old Cisco VPN Concentrators are vulnerable to CRLF injection.

Definition of CRLF injection in OWASP:
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. A CRLF Injection attack occurs when a user managed to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

The attack is applicable on Cisco VPN Concentrator which is offering SSL VPN service. During the attack, attackers are able to inject additional HTTP response headers or by stripping out such CRLF characters (\n or %0d%0a) from the Cisco device in its response to client. Whenever a web server responds to a HTTP request with duplicate headers (i.e.: LF injection attack), browser might neglect the first header and considers the last instance of a duplicate header.

However, Cisco VPN Concentrators had reached its End-of-Life in Feb 2007, which no support on this product after such date is available, and the products will be obseleted.

Hereby, I provide a proof-of-concept attack, which requires Linux Telnet.

The payload utilized here is %0d%0aLocation:%20https://albertsiow.wordpress.com

If this attack works on your Cisco VPN Concentrator, it means you are using out-dated product. The simplest solution is CHANGE A UPDATED & IN-SUPPORT VPN PRODUCT.


Cisco VPN 3000 Series Concentrators

Mozilla Firefox duplicate header overwrite behaviour


0 Responses to “Cisco VPN Concentrator – CRLF injection”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: