Abstract
Cisco AnyConnect Secure Mobility Client for OS X is affected by a vulnerability that allows local attackers to mount arbitrary DMG files at arbitrary mount points. By exploiting this vulnerability is is possible for the attacker to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux.
See also
- CVE-2015-6306
- Security Alert 41135: Cisco AnyConnect Secure Mobility Client for Linux and Mac OS X Privilege Escalation Vulnerability
Tested version
This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for OS X version 3.1.08009.
Fix
Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html.
Cisco has released bug ID CSCuv11947 for registered users, which contains additional details and an up-to-date list of affected product versions.
Introduction
Last June, a blog post was published by Kostya Kortchinsky detailing an elevation of privileges vulnerability in Cisco AnyConnect Secure Mobility Client for Windows. This vulnerability allowed an unprivileged user to invoke any binary signed by Cisco, which would be executed with SYSTEM privileges. This could be abused to install an arbitrary interactive service and consequently granting a local user SYSTEM privileges.
It was found that the OS X version of AnyConnect is affected by a similar vulnerability. On OS X it is possible for a local unprivileged user to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux.
Vulnerability details
Cisco AnyConnect comes with a system service listening on the loopback interface. It allows for local processes to connect to it and send commands to it. One command is interesting as it can be used to invoke executables with elevated privileges. AnyConnect restricts which executables can be invoked to prevent a local attacker from gaining elevated privileges.
One of the executables that can be invoked is install-dmg.sh, which is located in /opt/cisco/anyconnect/bin/vpndownloader.app/Contents/Resources/. This script allows a PKG file, located in a DMG file, to be installed as root. PKG files are only installed if they are named:
vpn.pkgposture.pkgdart.pkgwebsecurity.pkg
In theory an attacker could create a DMG file containing a specially crafted PKG file that can be installed via AnyConnect. However, the script appears to be broken. After the DMG file is mounted, its path is supplied to the installer program. The path is however prepended with a new-line character that cause installer to throw an error - instead of installing the PKG file.
The command for mounting the DMG contains a flaw, which still allows a local attacker to abuse the script and gain root privileges. The flaw exists in the following command:
HDIDOUT=`hdiutil attach **${DMG}** -nobrowse` || exit 1
The ${DMG} variable contains user-supplied input. Using a space character it is possible to add extra arguments to the hdiutil attach command. Consequently an attacker can mount a DMG file at an arbitrary mount point. Due to this it is possible to change the system's configuration and gain root privileges.
Proof of concept
The following proof of concept will start a root shell on an affected system using the following steps:
- create a
DMGfile containing asudoersfile that allows anyone in theeveryonegroup to invokesudowithout providing a password. - execute
install-dmg.shwith theDMGfile as argument. - abuse the
hdiutil attachflaw to mount the DMG file to/private/etc - execute
sudoto gainrootprivileges.