Vulnerability in Cisco VPN Client

David Davis — Fri, 17 Aug 2007 06:00:00 +0000

If you are using the Cisco VPN client you should really take note of this. A serious vulnerability has been found by the folks over at NGS Software and Cisco has released a vulnerability advisory regarding Cisco VPN Client. For more information, read on….

===========
Description
===========
Impact: locally logged-on users of affected hosts can cause arbitrary
binaries to be executed in the context of Local System. This effectively
compromises the host.

=================
Technical Details
=================
Cisco’s VPN client for Windows installs a Windows service, the “Cisco
Systems, Inc. VPN Service” or CVPND, whose associated binary is
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. By default, the
CVPND service runs as Local System.

SERVICE_NAME: CVPND
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : “C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe”
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cisco Systems, Inc. VPN Service
DEPENDENCIES : TCPIP
SERVICE_START_NAME : LocalSystem

Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by
NT AUTHORITY\INTERACTIVE:C in the cacls output below.

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

This allows normal users who have logged on to a susceptible host to move cvpnd.exe to another location, and substitute another binary for vpnd.exe. When the CVPND service restarts (e.g. on reboot), the replaced cvpnd.exe will run in the context of Local System. This effectively escalates users’ pivileges, thereby compromising the host.
Article Link
Cisco Advisory

Happy Router.com » VPN

Vulnerability in Cisco VPN Client