A vulnerability has been identified in Cisco AnyConnect Secure Mobility Client v3.1.06073 for Windows. This vulnerability could be leveraged by a local unprivileged user to get SYSTEM privileges, and was successfully exploited on a Windows 7 x64 platform.
Once installed, AnyConnect will start the executable vpnagent.exe as a SYSTEM service. This process opens the TCP port 62522 locally and parses requests that are sent to it. The protocol is simple and follows a TLV structure. It will execute different handlers based on the type of the request.
An interesting handler is CMainThread::launchClientApp in vpnagent.exe. This request takes 3 string parameters:
- The full path to the binary to be executed
- The command line arguments to that binary
- The desktop to launch it on
As a security measure, vpnagent.exe verifies that the binary to be executed is validly signed by "Cisco Systems, Inc." through a call to CProcessApi::SetVerifyFileSignature, preventing us from launching any random binary as SYSTEM.
Having a look at the other Cisco signed binaries present, VACon64.exe (amd64 specific version) stands out. This binary will take a part to a directory as an argument, and execute InstallHInfSection on a hardcoded .inf file name. This is particularly unsafe, as we can build out own .inf file to install a service that will, for example, execute cmd.exe interactively as SYSTEM - we just need to make sure to set a DACL that will make it available to anyone.
Provided are 2 files to exploit the service on a 64-bit platform:
- c.py is a Python 2.7 script that will launch VACon64.exe with our .inf file by sending the specifically crafted request to the vpnagent service
- acsock64.inf is the crafted .inf file that will install an interactive cmd.exe service (named InteractiveCmd) [it can probably be improved, but it's a good starting point]
Both files need to be in the same directory, and c.py executed by an unprivileged user. Said user can then do a "net start InteractiveCmd" to start a SYSTEM cmd.exe in Session 0. The Session 0 Isolation Service should detect it and offer to switch to that session (verified with Windows 7, Windows 10 appear to not switch even though the SYSTEM cmd.exe was successfully launched). The service can then be removed with "sc delete InteractiveCmd".
This vulnerability was reported to Cisco on January, 26th 2015 (PSIRT-1269982510). It was fixed with releases 4.0.02052 and 3.1.08009 of AnyConnect, announced in a security bulletin on June, 23rd 2015 (assigned CVE-2015-4211) [148 days].
Great to see new posts
ReplyDeleteHi
ReplyDeleteNice article. I tested out your PoC. The service successfully installs itself and is viewable inside services.msc. However when I try to start it I get the following error:
"error 1053 service failed to start in a timely fashion"
I modified your PoC to create a non interactive service that just creates a folder in the C drive, in a location not accessible to non privileged accounts. However that didn't work either, failing with the same error.
I then proceeded to manually create a service using sc:
sc create Inter binPath= "cmd.exe /c mkdir C:\TEST\Test"
When I try to start the service via services.msc or via command line, I get the same error.
I did some research and there was a problem with the .net framework for managing the services some time ago but I have .net 4.5 installed so that is not the problem. Furthermore I found some resources that suggested I should increase the timeout from the default of 30 seconds to 2 minutes. However creating a folder is almost instant so this shouldn't be the problem either. This service is not interactive as the default type is set to 0x10 by default (WIN32_OWN_PROCESS)
I also posted a stack overflow question about it:
http://stackoverflow.com/questions/32735341/starting-a-manually-created-service-that-is-configured-to-run-a-command
Do you have any idea why this is happening?
This comment has been removed by a blog administrator.
ReplyDeleteI visited your blog for the first time and just been your fan and get many informative information about the security.
ReplyDeletevpn without logs