module
Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)
| Disclosed | Created |
|---|---|
| 08/05/2020 | 09/30/2020 |
Disclosed
08/05/2020
Created
09/30/2020
Description
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.
Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (`vpndownloader`), which copies itself to an arbitrary
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
location `vpndownloader` will be copied to get code execution with system
privileges.
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.
Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (`vpndownloader`), which copies itself to an arbitrary
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
location `vpndownloader` will be copied to get code execution with system
privileges.
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
Authors
Yorick KosterAntoine Goichot (ATGO)Christophe De La Fuente
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/local/anyconnect_lpe
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.