module
Cisco AnyConnect Priv Esc through Path Traversal
| Disclosed | Created |
|---|---|
| Feb 19, 2020 | Jun 25, 2020 |
Disclosed
Feb 19, 2020
Created
Jun 25, 2020
Description
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The attack consists in sending a specially crafted IPC request to the TCP port
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
Mobility Agent service. This service will then launch the vulnerable installer
component (`vpndownloader`), which copies itself to an arbitrary location
before being executed with system privileges. Since `vpndownloader` is also
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
at the same location `vpndownloader` will be copied to get code execution with
system privileges.
This exploit has been successfully tested against Cisco AnyConnect Secure
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86).
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The attack consists in sending a specially crafted IPC request to the TCP port
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
Mobility Agent service. This service will then launch the vulnerable installer
component (`vpndownloader`), which copies itself to an arbitrary location
before being executed with system privileges. Since `vpndownloader` is also
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
at the same location `vpndownloader` will be copied to get code execution with
system privileges.
This exploit has been successfully tested against Cisco AnyConnect Secure
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86).
Authors
Yorick Koster
Antoine Goichot (ATGO)
Christophe De La Fuente
Antoine Goichot (ATGO)
Christophe De La Fuente
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.