dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

automatic module_metadata_base.json update

This commit is contained in:
Metasploit 2020-09-29 13:51:17 -05:00
parent 3aeeede4a6
commit 29732b9fc5
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
db/modules_metadata_base.json
View File

@ -133151,25 +133151,27 @@
}, },
"needs_cleanup": true "needs_cleanup": true
}, },
"exploit_windows/local/anyconnect_path_traversal_lpe": { "exploit_windows/local/anyconnect_lpe": {
"name": "Cisco AnyConnect Priv Esc through Path Traversal", "name": "Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)",
"fullname": "exploit/windows/local/anyconnect_path_traversal_lpe", "fullname": "exploit/windows/local/anyconnect_lpe",
"aliases": [ "aliases": [
], ],
"rank": 600, "rank": 600,
"disclosure_date": "2020-02-19", "disclosure_date": "2020-08-05",
"type": "exploit", "type": "exploit",
"author": [ "author": [
"Yorick Koster", "Yorick Koster",
"Antoine Goichot (ATGO)", "Antoine Goichot (ATGO)",
"Christophe De La Fuente" "Christophe De La Fuente"
], ],
"description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The attack consists in sending a specially crafted IPC request to the TCP port\n 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure\n Mobility Agent service. This service will then launch the vulnerable installer\n component (`vpndownloader`), which copies itself to an arbitrary location\n before being executed with system privileges. Since `vpndownloader` is also\n vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created\n at the same location `vpndownloader` will be copied to get code execution with\n system privileges.\n\n This exploit has been successfully tested against Cisco AnyConnect Secure\n Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86).", "description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers\n to execute code on the affected machine with with system level privileges.\n\n Both attacks consist in sending a specially crafted IPC request to the TCP\n port 62522 on the loopback device, which is exposed by the Cisco AnyConnect\n Secure Mobility Agent service. This service will then launch the vulnerable\n installer component (`vpndownloader`), which copies itself to an arbitrary\n location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being\n executed with system privileges. Since `vpndownloader` is also vulnerable to DLL\n hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same\n location `vpndownloader` will be copied to get code execution with system\n privileges.\n\n The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect\n Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been\n successfully tested against Cisco AnyConnect Secure Mobility Client versions\n 4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version\n 1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).",
"references": [ "references": [
"URL-https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/", "URL-https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj",
"CVE-2020-3153" "CVE-2020-3153",
"URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW",
"CVE-2020-3433"
], ],
"platform": "Windows", "platform": "Windows",
"arch": "x86, x64", "arch": "x86, x64",
@ -133183,10 +133185,10 @@
"targets": [ "targets": [
"Windows x86/x64 with x86 payload" "Windows x86/x64 with x86 payload"
], ],
"mod_time": "2020-06-24 17:19:21 +0000", "mod_time": "2020-09-29 13:38:31 +0000",
"path": "/modules/exploits/windows/local/anyconnect_path_traversal_lpe.rb", "path": "/modules/exploits/windows/local/anyconnect_lpe.rb",
"is_install_path": true, "is_install_path": true,
"ref_name": "windows/local/anyconnect_path_traversal_lpe", "ref_name": "windows/local/anyconnect_lpe",
"check": true, "check": true,
"post_auth": false, "post_auth": false,
"default_credential": false, "default_credential": false,