The folks over at NGS Software have released a vulnerability advisory regarding Cisco VPN.

===========
Description
===========
Impact: locally logged-on users of affected hosts can cause arbitrary
binaries to be executed in the context of Local System. This effectively
compromises the host.

=================
Technical Details
=================
Cisco’s VPN client for Windows installs a Windows service, the “Cisco
Systems, Inc. VPN Service” or CVPND, whose associated binary is
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. By default, the
CVPND service runs as Local System.

SERVICE_NAME: CVPND
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : “C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe”
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cisco Systems, Inc. VPN Service
DEPENDENCIES : TCPIP
SERVICE_START_NAME : LocalSystem

Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by
NT AUTHORITY\INTERACTIVE:C in the cacls output below.

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

This allows normal users who have logged on to a susceptible host to
move cvpnd.exe to another location, and substitute another binary for
cvpnd.exe. When the CVPND service restarts (e.g. on reboot), the
replaced cvpnd.exe will run in the context of Local System. This
effectively escalates users’ privileges, thereby compromising the host.

Article Link

Cisco Advisory

[tags]Cisco VPN, Cisco VPN Vulnerability, NGS[/tags]

Leave a Reply

Your email address will not be published. Required fields are marked *