Recently,a critical vulnerability was observed in wild in Cisco AnyConnect Secure Mobility Client on Windows. Its a privilege escalation vulnerability occurs with a manipulation with an unknown input. Classified as CWE-427 impacting the CIA triad.
This vulnerability is exploitable only by an authenticated as well as local attacker. It allows an attacker to copy user-supplied files to system level directories with system level privileges. Once the attacker have SYSTEM level privileges attacks such as DLL preloading, DLL hijacking can be manipulated.The vulnerability is due to the incorrect handling of directory paths.
A path traversal vulnerability exists in the vpndownloader.exe application for Windows that allows a local user on TCP port 62522 to create and run files outside of the temporary installer folder.
A low privileged user can also auto-update the Cisco Anyconnect service, that further allows client to loopback and run the executable copying it into temporary folder leading to the start of path traversal vulnerability. The target file name is extracted from the source file name using this executable vpndownloader.exe . The target filename is nothing but the right side part after the backslash after the last occurrence of the backslash (\) character in the source path. AnyConnect does not consider that the Windows API also accepts the forward slash (/) as directory separator character that allows the executable to create files outside its temporary folder further resulting into gaining elevated privileges.
The POC is a PowerShell module which has the function Invoke-ExploitAnyConnectPathTraversal.
Video Source: https://www.youtube.com/results?search_query=CVE-2020-3153
Cisco AnyConnect Secure Mobility Client for Windows before and up to version 4.8.01090
Reference and Sources:
Qualys customers can scan their network with QID(s)# 316582 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.