CISCO ANYCONNECT secure mobility client on Windows Privilege Escalation Vulnerability (CVE-2020-3153)

Posted by Author Dhiren Vaghela on Posted on

Summary:

Recently,a critical vulnerability was observed in wild in Cisco AnyConnect Secure Mobility Client on Windows. Its a privilege escalation vulnerability occurs with a manipulation with an unknown input. Classified as CWE-427 impacting the CIA triad.

Description:

This vulnerability is exploitable only by an authenticated as well as local attacker. It allows an attacker to copy user-supplied files to system level directories with system level privileges. Once the attacker have SYSTEM level privileges attacks such as DLL preloading, DLL hijacking can be manipulated.The vulnerability is due to the incorrect handling of directory paths.

A path traversal vulnerability exists in the vpndownloader.exe application for Windows that allows a local user on TCP port 62522 to create and run files outside of the temporary installer folder.

A low privileged user can also auto-update the Cisco Anyconnect service, that further allows client to loopback and run the executable copying it into temporary folder leading to the start of path traversal vulnerability. The  target file name is extracted from the source file name using this executable vpndownloader.exe . The target filename is nothing but the right side part after the backslash after the last occurrence of the backslash (\) character in the source path. AnyConnect does not consider that the Windows API also accepts the forward slash (/) as directory separator character that allows the executable to create files outside its temporary folder further resulting into gaining elevated privileges.

Exploit

The POC is a PowerShell module which has the function Invoke-ExploitAnyConnectPathTraversal.

Video Source: https://www.youtube.com/results?search_query=CVE-2020-3153

Affected Products:

Cisco AnyConnect Secure Mobility Client for Windows before and up to version 4.8.01090

Advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj

Reference and Sources:

https://github.com/goichot/CVE-2020-3153

https://nvd.nist.gov/vuln/detail/CVE-2020-3153

https://seclists.org/fulldisclosure/2020/Apr/43

https://www.youtube.com/results?search_query=CVE-2020-3153

Mitigation:

Cisco has updated the patch and released for CVE-2020-3153.

Qualys customers can scan their network with QID(s)# 316582 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *