Beginning of May 2020, I sent all details to Cisco (responsible disclosure), and these vulnerabilities are now public since beginning of August 2020. During this analysis, I found three additional vulnerabilities in the same component. OptBool.Exploits for CVE-2020-3433, CVE-2020-3434 and CVE-2020-3435 are available on GitHub: IntroductionĮnd of April 2020, I analyzed the technical advisory from SSD Secure Disclosure on the CVE-2020-3153 vulnerability affecting Cisco An圜onnect Secure Mobility Client for Windows (discovered by Yorick Koster). It will be automatically detected if not set.' 'Cisco An圜onnect Secure Mobility Client installation path (where \'vpndownloader.exe\''\ 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'Christophe De La Fuente' # msf module for CVE-2020-3153
'Antoine Goichot (ATGO)', # PoC CVE-2020-3153, original PoC for CVE-2020-3433, update of msf module 'Yorick Koster', # original PoC CVE-2020-3153, analysis Successfully tested against Cisco An圜onnect Secure Mobility Client versions
Secure Mobility Client versions 9, 0 and 6 on Windows 10 The CVE-2020-3153 exploit has been successfully tested against Cisco An圜onnect
Location `vpndownloader` will be copied to get code execution with system Hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same Since `vpndownloader` is also vulnerable to DLL Location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before beingĮxecuted with system privileges.
Installer component (`vpndownloader`), which copies itself to an arbitrary This service will then launch the vulnerable Port 62522 on the loopback device, which is exposed by the Cisco An圜onnect To execute code on the affected machine with with system level privileges.īoth attacks consist in sending a specially crafted IPC request to the TCP Prior to 6 is vulnerable to a DLL hijacking and allows local attackers To create/overwrite files in arbitrary locations with system level privileges. Prior to 2 is vulnerable to path traversal and allows local attackers The installer component of Cisco An圜onnect Secure Mobility Client for Windows tags | exploit, arbitrary, local, tcp systems | cisco, windows advisories | CVE-2020-3153, CVE-2020-3433 MD5 | 6dab51a6758b6569e7dba4af74f482ed Download | Favorite | ViewĬlass MetasploitModule 'Cisco An圜onnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)', Both attacks consist in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco An圜onnect Secure Mobility Agent service. The installer component of Cisco An圜onnect Secure Mobility Client for Windows prior to 6 is vulnerable to a DLL hijacking and allows local attackers to execute code on the affected machine with with system level privileges. The installer component of Cisco An圜onnect Secure Mobility Client for Windows prior to 2 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. Cisco An圜onnect Privilege Escalation Cisco An圜onnect Privilege Escalation Posted Authored by Yorick Koster, Christophe de la Fuente, Antoine Goichot | Site