From 29732b9fc5db8849d4c7bb40a4e6d5f538b9ac59 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Tue, 29 Sep 2020 13:51:17 -0500 Subject: [PATCH] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index faaa4b1124..cdb3c8842e 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -133151,25 +133151,27 @@ }, "needs_cleanup": true }, - "exploit_windows/local/anyconnect_path_traversal_lpe": { - "name": "Cisco AnyConnect Priv Esc through Path Traversal", - "fullname": "exploit/windows/local/anyconnect_path_traversal_lpe", + "exploit_windows/local/anyconnect_lpe": { + "name": "Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)", + "fullname": "exploit/windows/local/anyconnect_lpe", "aliases": [ ], "rank": 600, - "disclosure_date": "2020-02-19", + "disclosure_date": "2020-08-05", "type": "exploit", "author": [ "Yorick Koster", "Antoine Goichot (ATGO)", "Christophe De La Fuente" ], - "description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The attack consists in sending a specially crafted IPC request to the TCP port\n 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure\n Mobility Agent service. This service will then launch the vulnerable installer\n component (`vpndownloader`), which copies itself to an arbitrary location\n before being executed with system privileges. Since `vpndownloader` is also\n vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created\n at the same location `vpndownloader` will be copied to get code execution with\n system privileges.\n\n This exploit has been successfully tested against Cisco AnyConnect Secure\n Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86).", + "description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers\n to execute code on the affected machine with with system level privileges.\n\n Both attacks consist in sending a specially crafted IPC request to the TCP\n port 62522 on the loopback device, which is exposed by the Cisco AnyConnect\n Secure Mobility Agent service. This service will then launch the vulnerable\n installer component (`vpndownloader`), which copies itself to an arbitrary\n location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being\n executed with system privileges. Since `vpndownloader` is also vulnerable to DLL\n hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same\n location `vpndownloader` will be copied to get code execution with system\n privileges.\n\n The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect\n Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been\n successfully tested against Cisco AnyConnect Secure Mobility Client versions\n 4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version\n 1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).", "references": [ "URL-https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/", "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", - "CVE-2020-3153" + "CVE-2020-3153", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW", + "CVE-2020-3433" ], "platform": "Windows", "arch": "x86, x64", @@ -133183,10 +133185,10 @@ "targets": [ "Windows x86/x64 with x86 payload" ], - "mod_time": "2020-06-24 17:19:21 +0000", - "path": "/modules/exploits/windows/local/anyconnect_path_traversal_lpe.rb", + "mod_time": "2020-09-29 13:38:31 +0000", + "path": "/modules/exploits/windows/local/anyconnect_lpe.rb", "is_install_path": true, - "ref_name": "windows/local/anyconnect_path_traversal_lpe", + "ref_name": "windows/local/anyconnect_lpe", "check": true, "post_auth": false, "default_credential": false,