SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   Cisco VPN Client Vendors:   Cisco
Cisco VPN Client Lets Local Users Gain Administrator Privileges on the Operating System
SecurityTracker Alert ID:  1006819
SecurityTracker URL:  http://securitytracker.com/id/1006819
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 22 2003
Impact:   Execution of arbitrary code via local system, Modification of system information, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the Cisco VPN Client. A local user can gain administrator privileges.

It is reported that a local user can gain administrator privileges on a host that uses the Cisco VPN Client software. A local user can reportedly replace 'ipsecdialer.exe' with 'explorer.exe' and make a configuration change to cause 'explorer.exe' to be started by the VPN Client with Local System privileges.

The following demonstration exploit steps have been provided:

"- Log on as a standard user.
- Browse to the C:\winnt directory, right click on explorer.exe and choose copy.
- Browse to C:\Program Files\Cisco Systems\VPN Client (the directory with ipsecdialer.exe) and paste a copy of explorer.exe into the folder.
- Double click on ipsecdialer.exe and select options > Windows logon properties.
- Click on the first box to "enable start before log on".
- Click OK and Close.
- Rename ipsecdialer.exe to ipsecdialer.ex_
- Rename the copy of explorer.exe to ipsecdialer.exe
- Close any open windows.
- log out.
- log back on as the same standard user.
- Click okay on any error messages that appear.
- DO NOT CLOSE THE EXPLORER WINDOW THAT IS OPEN.
- At this point you may see your desktop or you may not (have had it happen both ways), but whatever the case, that Explorer window is open as local system and anything else you see is opened as the standard user.
- In the open explorer window press the Up folder icon until you get to My computer.
- Double click on Control Panel, then Administrative Tools, then Computer Management
- Expand Local Users and Groups and add your Standard User account to the Local Administrators Group."

The vendor has reportedly confirmed the flaw.

Impact:   A local user can cause 'explorer.exe' to be started with Local System privileges, allowing the local user to gain administrator privileges on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cisco.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Confirms and Provides Workaround) Re: Cisco VPN Client Lets Local Users Gain Administrator Privileges on the Operating System
Cisco has confirmed the flaw and described a workaround. They are working on a fix.



 Source Message Contents

Subject:  Cisco VPN Client can be used to gain local administrator rights (All Versions, patched or otherwise)


First, before getting into this exploit I think it's only fair to say
that my last post, "Cisco Systems VPN Client allows local logon with
Elevated Privileges" was as Cisco's representative Sharad Ahlawat said,
outdated and already addressed (see following link):

http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml

That said, I was sufficiently enough embarrassed to see if I could get
around their patched client, and here's how to do it:

- Log on as a standard user.
- Browse to the C:\winnt directory, right click on explorer.exe and
choose copy.
- Browse to C:\Program Files\Cisco Systems\VPN Client (the directory
with ipsecdialer.exe) and paste a copy of explorer.exe into the folder.
- Double click on ipsecdialer.exe and select options > Windows logon
properties.
- Click on the first box to "enable start before log on".
- Click OK and Close.
- Rename ipsecdialer.exe to ipsecdialer.ex_
- Rename the copy of explorer.exe to ipsecdialer.exe
- Close any open windows.
- log out.
- log back on as the same standard user.
- Click okay on any error messages that appear.
- DO NOT CLOSE THE EXPLORER WINDOW THAT IS OPEN.
- At this point you may see your desktop or you may not (have had it
happen both ways), but whatever the case, that Explorer window is open
as local system and anything else you see is opened as the standard
user.
- In the open explorer window press the Up folder icon until you get to
My computer.
- Double click on Control Panel, then Administrative Tools, then
Computer Management
- Expand Local Users and Groups and add your Standard User account to
the Local Administrators Group.

The following steps are provided to return your machine to it's previous
state (i.e. logging in without the client launching explorer)

- Navigate to C:\Program Files\Cisco Systems\VPN Client and open the
vpnclient.ini file
- set runatlogon=0
- Save the file and restart the machine (Ctrl-Alt-Del if no Start
button)


And to Verify the Changes took...

Log on as the Standard user and do whatever you want.

Cisco has been notified about this issue and has acknowledged it, but
since asking for a week to test it further I have not heard from them
again.

Possible Issue/Workaround

I can't code, but it would seem the file at fault is csgina.dll which is
Cisco's replacement Gina that's installed automatically (and I assume is
what allows the explorer window to be launched in the system process).
Also, this exploit would be harder if not impossible were Cisco to
secure their install folder, but unfortunately even if I have
permissions set on the Program Files folder to only allow Users Read
access the Cisco install creates a subfolder which grants the
Interactive user Modify permissions.  I think they do this because the
program constantly re-encrypts the group authentication key which is
stored in a text file in that directory.

This has been Verified on Windows 2000 with SP3 and Windows 2003 Server
with the newest version of the Cisco VPN client (as well as older
versions too).

Thanks,

Nick Staff

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your FREE, NO OBLIGATION 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC