Cisco AnyConnect < 4.8.02042 privilege escalation through path traversal
The auto-update feature of Cisco AnyConnect is affected by a path traversal vulnerability. An attacker can exploit this vulnerability to gain system level privileges.
For more details, please refer to:
This exploit uses the "hijack of a DLL loaded by a Cisco signed binary" attack scenario described in the original advisory and in SSD's post. However, this exploit uses vpndownloader.exe(also a Cisco signed binary that is affected by the same DLL hijacking vulnerability) instead of cstub.exe. In addition, I embedded dbghelp.dll in Base64 in the C# code to have a standalone exploit.
Run CVE-2020-3153.exe (in the CVE-2020-3153/bin/Release folder) or use the "msbuild" version (in case of Application Whitelisting). A SYSTEM shell will spawn.
A MSBuild launcher has been created from the C# program in case of Application Whitelisting or to change path to vpndownloader.exe without recompiling the C# code.
Usage:
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe c:\path\to\CVE-2020-3153.xml
The CVE-2020-3153.xml file can be found in the msbuild folder.
This exploit has been tested on Windows 7 and Windows 10 with the following Cisco AnyConnect versions (32-bit):
- 4.5.02036
- 4.6.03049
- 4.7.04056
- 4.8.01090
I have not tested any Cisco AnyConnect 64-bit versions. Path to vpndownloader.exe may be different.
- The
cstub.exebinary in this repository was extracted from AnyConnect Posture module version 4.6.02074. - The outline of the C# code and the DLL source code are based on Google Project Zero PoC for CVE-2015-6305: link
- The author of the vulnerability helped me for the successful exploitation on AnyConnect 4.7.x and 4.8.x. I was missing a value for an argument: link