Cisco AnyConnect elevation of privileges via DLL side loading

Abstract

Cisco AnyConnect Secure Mobility Client for Windows is affected by a vulnerability that allows local attackers to execute arbitrary DLL files with elevated privilege. By exploiting this vulnerability is is possible for the attacker to gain SYSTEM privileges.

See also

Tested version

This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for Windows version 3.1.08009.

Fix

Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html.

Cisco has released bug ID CSCuv01279 for registered users, which contains additional details and an up-to-date list of affected product versions.

Introduction

Last June, a blog post was published by Kostya Kortchinsky detailing an elevation of privileges vulnerability in Cisco AnyConnect Secure Mobility Client for Windows. This vulnerability allowed an unprivileged user to invoke any binary signed by Cisco, which would be executed with SYSTEM privileges. This could be abused to install an arbitrary interactive service and consequently granting a local user SYSTEM privileges.

Cisco released versions 4.0.02052 and 3.1.08009 of Cisco AnyConnect Secure Mobility Client, which restricts which binaries can be invoked with elevated privileges. This effectively resolves the attack vector described by Kostya. A variant of this issue was found that still allows for a local attacker to gain SYSTEM privileges using a DLL side loading attack. This variant was independently discovered by Google Project Zero.

Vulnerability details

Cisco AnyConnect comes with a system service listening on the loopback interface. It allows for local processes to connect to it and send commands to it. One command is interesting as it can be used to invoke executables with elevated privileges. AnyConnect restricts which executables can be invoked to prevent a local attacker from gaining elevated privileges. Despite these restrictions it is still possible to gain elevated privileges using DLL side loading.

One of the executables that can be invoked is vpndownloader.exe. Normally this file is started from AnyConnect's installation folder. However when vpndownloader.exe is copied to a different location, it is possible to start it from that location. When started vpndownloader.exe will look for the following DLL files in the folder from which it is started:

  • dbghelp.dll
  • msi.dll
  • msvcp60.dll
  • version.dll
  • winhttp.dll

If vpndownloader.exe finds any of these DLLs, it will try to load them. These DLLs will be executed with the same privileges of vpndownloader.exe, which is SYSTEM when started via the system service. A local attacker can abuse this issue by copying vpndownloader.exe to a folder in which the attacker has write access. Copy a specially crafted DLL file to this folder with the same name as one of the DLLs listed above. And finally instruct the system service to invoke vpndownloader.exe from the attacker-controlled location.

Proof of concept

The following proof of concept will start a Command Prompt running with SYSTEM privileges on an affected system: AnyConnectEoP.cs

Questions or feedback?