module

Cisco AnyConnect Priv Esc through Path Traversal

Try Surface Command
Back to search
Disclosed
2020-02-19
Created
2020-06-25

Description

The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.

The attack consists in sending a specially crafted IPC request to the TCP port
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
Mobility Agent service. This service will then launch the vulnerable installer
component (`vpndownloader`), which copies itself to an arbitrary location
before being executed with system privileges. Since `vpndownloader` is also
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
at the same location `vpndownloader` will be copied to get code execution with
system privileges.

This exploit has been successfully tested against Cisco AnyConnect Secure
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86).

Authors

Yorick Koster
Antoine Goichot (ATGO)
Christophe De La Fuente

Platform

Windows

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/local/anyconnect_path_traversal_lpe
    msf exploit(anyconnect_path_traversal_lpe) > show targets
        ...targets...
    msf exploit(anyconnect_path_traversal_lpe) > set TARGET < target-id >
    msf exploit(anyconnect_path_traversal_lpe) > show options
        ...show and set options...
    msf exploit(anyconnect_path_traversal_lpe) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today