Vigil@nce - Cisco AnyConnect Secure Mobility Client: privilege escalation via INF
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can alter an INF file for Cisco AnyConnect Secure
Mobility Client, in order to execute code with SYSTEM privileges.
– Impacted products: Cisco AnyConnect Secure Mobility Client.
– Severity: 2/4.
– Creation date: 25/08/2016.
DESCRIPTION OF THE VULNERABILITY
The Cisco AnyConnect Secure Mobility Client can be installed on
Windows.
It installs the vpnagent.exe service, which listens on port
62522/tcp, and runs as SYSTEM. A local user can send it a message
in TLV format, containing an InstallHInfSection field, indicating
the name of an INF file.
This INF file can contain the name of an executable program to
install, and AnyConnect checks if it is located in an allowed
directory. However, this check is incorrect, and an attacker can
create an executable in a privileged directory, so it is executed
with SYSTEM privileges.
A local attacker can therefore alter an INF file for Cisco
AnyConnect Secure Mobility Client, in order to execute code with
SYSTEM privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN