SSD Advisory – Cisco AnyConnect Privilege Elevation through Path Traversal

Vulnerability Summary
The update functionality of the Cisco AnyConnect Secure Mobility Client for Windows is affected by a path traversal vulnerability that allows local attackers to create/overwrite files in arbitrary locations. Successful exploitation of this vulnerability allows the attacker to gain SYSTEM privileges.

Credit
An independent Security Researcher, Yorick Koster, has reported this vulnerability to SSD Secure Disclosure program.

Affected Systems
Cisco AnyConnect Secure Mobility Client for Windows, Version 4.8.01090.

CVE
CVE-2020-3153

Vendor Response
Cisco has released a patch, available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj

Vulnerability Details
Cisco AnyConnect Secure Mobility Client contains functionality to auto-update itself. Auto-update also works for low-privileged users, which is possible because the update is initiated from a service called Cisco AnyConnect Secure Mobility Agent and is running with SYSTEM privileges. This service exposes TCP port 62522 on the loopback device to which clients can connect and send commands to be handled by this service. One of these command is to launch the vpndownloader application and update AnyConnect.

A path traversal vulnerability exists in the vpndownloader application for Windows that allows a local user to create and run files outside of the temporary installer folder. Successful exploitation of this vulnerability allows a local attacker to gain SYSTEM privileges.

The AnyConnect auto-update functionality has been affected by a number of vulnerabilities in the past that can be abused by local users to gain SYSTEM privileges (eg. Kostya Kortchinsky, Securify, Project Zero, SerializingMe). Cisco has made a number of changes to mitigate these attacks, amongst these changes are:

  • Executables need to have a valid Authenticode signature from Cisco Systems, Inc.
  • (New) versions of vpndownloader.exe are copied to %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader.
  • Proper NTFS Permissions are (now) set on the %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\ folder.
  • the vpndownloader.exe executable must have vpndownloader.exe configured as the original filename in its version information.
  • When vpndownloader.exe launches additional installation files, these files also need to have a valid Authenticode signature from Cisco Systems, Inc..
  • Installation files are copied in a separate temporary folder under %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer before they are executed.

In a nutshell, the auto-update mechanism works by send a message to the AnyConnect Agent to launch vpndownloader.exe and instruct it to perform a certain action (as command line argument). This action is either moving/copying a profile (XML) file to a profile folder or launch a Cisco signed installer file. Technically, this doesn’t need to be an installer file, any Cisco signed executable will do. When vpndownloader.exe is instructed to run an installer file, the file is first copied to a temporary folder under %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer.

After the file has been copied, the digital signature is checked including the signer of the file. If all checks out, the file is launched from the temporary folder and the folder is deleted after execution has completed.
Because the executable is copied to a new temporary folder, and the folder has proper NTFS permissions, it is not possible to perform a file/DLL planting attack to run arbitrary code. In addition, the file must be signed by Cisco and the signature must be valid, preventing the execution of arbitrary executable.

A path traversal vulnerability exists in the step where the (user-supplied) executable is copied into the temporary folder. vpndownloader.exe will extract the target file name from the source file name. Essentially it does this by searching for the last occurrence of the backslash (\) character in the source path, the right part after the backslash is treated as the filename and is used as the target file name. AnyConnect does not take into account that the Windows API also accepts the forward slash (/) as directory separator character. Because of this it is possible to cause vpndownloader.exe to create files outside its temporary folder.

Since the signature verification is done after the file is copied, it is possible for an attacker to copy any file to any location residing on the same volume as %ProgramData% (generally C:\). Copying of the file is done with SYSTEM privileges – when vpndownloader.exe is launched through the AnyConnect Agent. If the target file exists and SYSTEM has write access to this file, it will be overwritten with the attacker-supplied file. This alone is enough for a local user to gain elevated privileges.

Another attack scenario is to hijack a DLL that is loaded by a Cisco signed executable. Most Cisco executable are affected by DLL hijacking, a common DLL that is used by Cisco applications is the dbghelp.dll file. The attack consists of two steps:

  1. Create an attacker-controlled dbghelp.dll file outside of the temporary folder to prevent removal, traversing one folder up is enough.
  2. Launch a Cisco signed executable which is vulnerable to DLL hijacking from the same folder, again using the path traversal vulnerability.

When the Cisco signed executable is launched through the AnyConnect Agent, it will also run with SYSTEM privileges. The code in the attacker-controlled DLL will also run with these privileges. The application itself is opened within Session 0. Windows 10 1803 has removed the Interactive Services Detection Service, which makes it impossible for users to interact with any GUI displayed in Session 0. This of course does nothing to stop an attacker from gaining SYSTEM privileges, but it does require an additional step for the attacker to launch a GUI application with elevated privileges.

Exploit
The POC is a PowerShell module which has the function Invoke-ExploitAnyConnectPathTraversal. This function has two modes.

Without arguments:
This mode tries to hijack %ProgramFiles%\Common Files\microsoft shared\ink\HID.dll, which is used by the on-screen keyboard. Run the following commands in a PowerShell prompt:

  1. Import-Module .-ExploitAnyConnectPathTraversal.psm1
  2. Invoke-ExploitAnyConnectPathTraversal
  3. Lock the Windows session or sign out
  4. Open accessibility tools in the login screen and launch the on-screen keyboard

A PowerShell prompt should open (behind the keyboard) running as SYSTEM. (Note that the on-screen keyboard of Windows 7 isn’t affected by this DLL hijack).

With arguments:
Running the function with arguments will create three files within %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer:

  • payload.bat
  • dbghelp.dll
  • cstub.exe

cstub.exe is a Cisco signed executable, which will be launched by vpndownloader. dbghelp.dll is hijacked to run payload.bat. The provided argument(s) are written to payload.bat and thus will run as SYSTEM.

  1. Import-Module .-ExploitAnyConnectPathTraversal.psm1
  2. Invoke-ExploitAnyConnectPathTraversal

SSD Advisory – FiberHome Directory Traversal

Vulnerability Summary
The following advisory describes a directory traversal vulnerability found in FiberHome routers.
FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extended to R&D, manufacturing, marketing & sales, engineering service, in 4 major areas: fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to- end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Update 1:
Cve issued: CVE-2017-15647
We tried to contact FiberHome since September 6 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for the vulnerability.
(more…)

SSD Advisory – Synology Photo Station Unauthenticated Remote Code Execution

Vulnerability Summary
The following advisory describes a Remote Code Execution found in Synology Photo Station versions 6.7.3-3432 and earlier / 6.3-2967 and earlier.
Personal Photo Station is an online photo album with blog owned and managed by a DSM user. Synology NAS provides the home/photo folder for you to store photos and videos that you want to share. The system will create index thumbnails of the photos and videos automatically, and then people can view photo albums via a web browser.
Credit
An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address this vulnerability.
For more details: https://www.synology.com/zh-tw/support/security/Synology_SA_17_34_PhotoSation
CVE’s:

  • CVE-2017-11151
  • CVE-2017-11152
  • CVE-2017-11153
  • CVE-2017-11154
  • CVE-2017-11155

(more…)

SSD Advisory – Nitro Pro PDF Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF.
Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes with a built-in OCR engine that can transform scanned documents into editable files. Fill up forms, annotate and sign them as part of your workflow, and easily merge multiple documents or delete selected pages as necessary.
If you use a large display or multiple monitors, NitroPDF also offers the ability to display PDF documents side-by-side so that you can pore through multiple documents. Of course, you could use AquaSnap to do that.
The vulnerabilities found in Nitro PDF are:

  • Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
  • App.launchURL Command Execution
  • JPEG2000 npdf.dll Use-After-Free
  • Forms Parsing NPForms.npp Use-After-Free
  • File Parsing Count Field npdf.dll Memory Corruption
  • NewWindow Launch Action NPActions.npp Command
  • URI Action NPActions.npp Command Execution

This report contain the following vulnerabilities:

  • Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
  • App.launchURL Command Execution
  • JPEG2000 npdf.dll Use-After-Free

Credit
Two independent security researchers, Steven Seeley and anonymous, have reported these vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor has released patches to address this vulnerability. “Number of the reported vulnerabilities have been resolved and confirmed, and will included in our next release of Nitro Pro, 11.05.”
For more details: https://www.gonitro.com/support/downloads#securityUpdates
CVE:

  • CVE-2017-2796
  • CVE-2017-7950

(more…)

SSD Advisory – Geneko Routers Unauthenticated Path Traversal

Vulnerability Summary
The following advisory describes a Unauthenticated Path Traversal vulnerability found in Geneko GWR routers series.
Geneko GWG is compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition, smart metering, remote monitoring and management. GWG supports a variety of radio bands options on 2G, 3G and 4G cellular technologies.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
We have informed Geneko of the vulnerability on the 28th of May 2017, the last email we received from them was on the 7th of June 2017. We have no further updates from Geneko regarding the availability of a patch or a workaround for the vulnerability.
CVE: CVE-2017-11456
(more…)