Thursday, August 30, 2007

[NT] Local Privilege Escalation Vulnerability in Cisco VPN Client

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Local Privilege Escalation Vulnerability in Cisco VPN Client
------------------------------------------------------------------------


SUMMARY

A vulnerability in Cisco's VPN client allows locally logged-on users of
affected hosts can cause arbitrary binaries to be executed in the context
of Local System. This effectively compromises the host.

DETAILS

Vulnerable Systems:
* Cisco VPN Client versions prior to 5.0.01.0600

Immune Systems:
* Cisco VPN Client version 5.0.01.0600

Technical Details
Cisco's VPN client for Windows installs a Windows service, the "Cisco
Systems, Inc. VPN Service" or CVPND, whose associated binary is C:\Program
Files\Cisco Systems\VPN Client\cvpnd.exe. By default, the CVPND service
runs as Local System.

SERVICE_NAME: CVPND
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cisco Systems, Inc. VPN Service
DEPENDENCIES : TCPIP
SERVICE_START_NAME : LocalSystem

Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by NT
AUTHORITY\INTERACTIVE:C in the cacls output below.

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

This allows normal users who have logged on to a susceptible host to move
cvpnd.exe to another location, and substitute another binary for
cvpnd.exe. When the CVPND service restarts (e.g. on reboot), the replaced
cvpnd.exe will run in the context of Local System. This effectively
escalates users' privileges, thereby compromising the host.

Fix Information:
Upgrade to a fixed version of the Cisco VPN client: see Cisco's advisory
at the URL below for more details:
<http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml>

http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml

Alternatively, as a workaround, revoke access rights for NT
AUTHORITY\INTERACTIVE from cvpnd.exe, e.g.:

C:\Program Files\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT
AUTHORITY\INTERACTIVE"


ADDITIONAL INFORMATION

The information has been provided by <mailto:dominic@ngssoftware.com>
Dominic Beecher.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment