Giter Club home page Giter Club logo

cve-2020-3433's Introduction

PoCs for CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435

PoCs and technical details for the three vulnerabilities found on Cisco AnyConnect Secure Mobility Client for Windows in May 2020:

  • CVE-2020-3433 - High (CVSS Score 7.8) - a local privilege escalation
  • CVE-2020-3434 - Medium (CVSS Score 5.5) - a Denial of Service
  • CVE-2020-3435 - Medium (CVSS Score 5.5) - an "Always-On" bypass (VPN profile modification)

Technical details are available in this repository: Details.md

CVE-2020-3433: Privilege escalation (AnyConnect < 4.9.00086)

Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Cisco Advisory

Exploit

Run CVE-2020-3433-privesc.exe. A SYSTEM shell will spawn

CVE-2020-3433-PoC

CVE-2020-3434: Denial of Service (AnyConnect < 4.9.01095)

Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to cause a denial of service (DoS)condition on an affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to stop the AnyConnect process, causing a DoS condition on the device. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Cisco Advisory

Exploit

Run CVE-2020-3434-DoS.exe. AnyConnect's VPN Agent service will stop.

CVE-2020-34343-PoC

CVE-2020-3435: VPN profile modification

Description

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process on an affected device. A successful exploit could allow the attacker to modify VPN profile files. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

Cisco Advisory

Exploit

Run CVE-2020-3435-profile-modification.exe bypass "C:\path\to\profile\to\overwrite.xml". The VPN profile will be overwritten (by a profile embedded in the PoC). A backup of the profile will be written in the current folder (with current date and time).

OR

Run CVE-2020-3435-profile-modification.exe restore "C:\path\to\profile.xml". C:\path\to\profile.xml will be restored (C:\path\to\profile.xml will be copied to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml)

CVE-2020-3435-PoC

Additional information

  • These vulnerabilities were found after the analysis of the CVE-2020-3153 vulnerability (my PoC and my notes are available here: link)
  • The outline of the C# code and the DLL source code are based on Google Project Zero PoC for CVE-2015-6305: link
  • I have not tested AnyConnect 64-bit versions. Path to vpndownloader.exe should probably be modified.

Antoine Goichot - September 2020

GitHub | Twitter | LinkedIn

cve-2020-3433's People

Contributors

goichot avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar

cve-2020-3433's Issues

The downloader command line arguments are invalid

First thanks for the PoC and the write up, it's very well explained.
Unfortunately I have an error before the DLL execution. I try the PoC on anyconnect 4.8.3036.
This is what I got from the event viewer:

ProviderName : acvpndownloader
Message      : Function: CInstallTask::DoPrivilegedInstall
               File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\installtask.cpp
               Line: 942
               Installer exit code: 1 (failure). See the log file 
               C:\WINDOWS\TEMP\anyconnect-vpndownloader-install-17374724012022.log for more information.

ProviderName : acvpndownloader
Message      : Function: wWinMain
               File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\downloader.cpp
               Line: 235
               The downloader command line arguments are invalid

ProviderName : acvpndownloader
Message      : Function: CVerifyFileSignatureWindows::IsValid
               File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\commoncrypt\verifyfilesignatur
               ewindows.cpp
               Line: 110
               Code-signing verification succeeded. File (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility 
               Client\Temp\Installer\3229.tmp\vpndownloader.exe)

ProviderName : acvpndownloader
Message      : Installing software (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility 
               Client\Temp\Installer\3229.tmp\vpndownloader.exe /norestart /quiet NOINSTALLACTIVEX=1 WEBLAUNCH=1 /lvx* 
               C:\WINDOWS\TEMP\anyconnect-vpndownloader-install-17374724012022.log)

I suspect that the error with the message The downloader command line arguments are invalid is the cause.
Do you think there is a solution to bypass this error? Looking at the PoC the only thing sent to vpnui is CAC-nc-install vpndownloader.exe dbghelp.dll so maybe it's only an environment linked issue?

(Unfortunately, I can't read anyconnect-vpndownloader-install-17374724012022.log because I don't have the required rights on this machine)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.