[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NGS00051 Technical Advisory: Cisco VPN Client Privilege Escalation

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: NGS00051 Technical Advisory: Cisco VPN Client Privilege Escalation
From: "Research@NGSSecure" <research@xxxxxxxxxxxxx>
Date: Tue, 28 Jun 2011 13:55:58 +0000

=======
Summary
=======
Name: Cisco VPN Client Privilege Escalation
Release Date: 28 June 2011
Reference: NGS00051
Discoverer: Gavin Jones <gavin.jones@xxxxxxxxxxxxx>
Vendor: Cisco
Vendor Reference: 
Systems Affected: Cisco VPN client (Windows 64 Bit)
Risk: High
Status: Fixed

========
TimeLine
========
Discovered: 15 February 2011
Released: 15 February 2011
Approved: 15 February 2011
Reported: 22 February 2011
Fixed: 24 March 2011
Published: 28 June 2011

===========
Description
===========
The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege 
escalation vulnerability that allows non-privileged users to gain 
administrative privileges.

=================
Technical Details
=================
Unprivileged users can execute arbitrary programs that run with the privileges 
of the LocalSystem account by replacing the Cisco VPN Service executable with 
arbitrary executables. This vulnerability exists because the default file 
permissions assigned during installation to cvpnd.exe (the executable for the 
Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe 
with any file.

Because the Cisco VPN Service is a Windows service running with LocalSystem 
privileges, unprivileged users can easily elevate their privileges.

It is possible to work around this vulnerability without a software upgrade.

The permissions applied to the file by default are shown below:

C:\ >cacls "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe"

C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe 

BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\INTERACTIVE:F
NT AUTHORITY\SYSTEM:F

===============
Fix Information
===============
An effective workaround for this vulnerability is to revoke access rights for 
NT AUTHORITY\INTERACTIVE from cvpnd.exe. For example:

"C:\Program Files (x86)\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT 
AUTHORITY\INTERACTIVE"

NGS Secure Research
http://www.ngssecure.com

Prev by Date: NGS00062 Patch Notification: Apple Mac OS X ImageIO TIFF Heap Overflow
Next by Date: NGS00052 Technical Advisory: Apple Mac OS X Image RAW Multiple Buffer Overflows
Previous by thread: NGS00062 Patch Notification: Apple Mac OS X ImageIO TIFF Heap Overflow
Next by thread: NGS00052 Technical Advisory: Apple Mac OS X Image RAW Multiple Buffer Overflows
Index(es):
- Date
- Thread