6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
Title: Cisco AnyConnect Posture (HostScan) Security Service Multiple Vulnerabilities **Advisory ID:**CORE-2021-0001 Advisory URL:https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-local-privilege-escalation **Date published: **2021-02-17 **Date of last update:**2020-02-17 Vendors contacted:Cisco Release mode: Coordinated release
**Class:**Improper Access Control [CWE-284], Uncontrolled Search Path Element [CWE-427]
**Impact:**Code execution
Remotely Exploitable: No **Locally Exploitable:**Yes CVE Name: CVE-2021-1366
Cisco is a multi-national conglomerate that develops, manufactures and sells networking hardware, software, telecommunications equipment and other high-technology services and products. Their product, the Cisco AnyConnect Secure Mobility Client, is a VPN that provides security for remote workers.
The AnyConnect Posture Module uses the HostScan application to enable the AnyConnect Secure Mobility Client to identify the operating system, antivirus, anti-spyware, and firewall software installed on the host. Posture assessment requires HostScan to be installed on the host.[1]
Multiple vulnerabilities were found in Cisco AnyConnect Posture. These vulnerabilities allow an authenticated local user to elevate privileges and execute any application under the SYSTEM account. This can be achieved in several ways due to the nature of the vulnerabilities.
Cisco has released a new version, AnyConnect 4.9.05042, which fixes the reported issues.
This vulnerability was discovered and researched by Marcos Accossatto from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by** Pablo A. Zurro**from the CoreLabs Advisories Team.
The Cisco Security Service Windowsservice of AnyConnect Posture (ciscod.exe) listens on localhost (127.0.0.1) port 1023, waiting for local peers connections.
Once a local peer connects, the executable file corresponding to the local client’s PID (Process ID) is located by using the GetExtendedTcpTable function from the Iphlpapi.dll library. After that, the connecting process is checked to verify that it is signed by “Cisco Systems, Inc.”.
If the signature check is correct, then the _command _is processed. The analysis of the process_ipc_message function shows that this function checks if the first DWORD (4 bytes) of the packet has the 0x2E24 (11812) value. This value is then interpreted as the total length of the following data. So, the size of a _command _packet is always 0x2E28 (11816) bytes.
Then, the following DWORD is taken from the packet and compared with the list of available commands:
The command priv_file_copy can copy a file from any location to a subdirectory within the %ProgramFiles(x86)%\Cisco\Cisco HostScan
directory. The function checks for directory traversal (“…”) so it is not possible to escape that directory. Also, the source file must be inside a \Cisco\Cisco HostScan
directory.
Since the previous command can copy any file to any directory inside %ProgramFiles(x86)%\Cisco\Cisco HostScan
, an attacker could copy a library to the \bin
directory. When the service is started, that library can be loaded and executed (DLL Hijacking). There are several library names that can be used, one example being Dbghelp.dll.
The digital signature check can be bypassed by running a signed executable by Cisco in a suspended state. Then performing a Process Hollowing by replacing the original code with the attacker’s code, will allow the attacker to send any of the described commands.
This means a local attacker can escalate privileges. The following proof of concept demonstrates the vulnerability:
The structure of the packet for the priv_file_copy command is:
struct priv_file_copy_packet {
DWORD packetLen; // Must be 0x2E24 - Big Endian
DWORD opcode; // Must be 0x20 - Little Endian
DWORD padding; // Anything
BYTE source[1024]; // Null terminated string with the full path to source file.
Must be inside a \Cisco\Cisco HostScan directory
BYTE destination[10780]; // Null terminated string with the full path to destination file.
Must point inside of %ProgramFiles(x86)%\Cisco\Cisco HostScan directory
};
As an example, if the attacker’s DLL is located in C:\Users\McFly\AppData\Local\Temp\Cisco\Cisco HostScan\MyDLL.dll
(the DLL must be inside a \Cisco\Cisco HostScan
subdirectory) and the attack is performed on a Windows 64-bit Operating System, then the packet will have the following structure:
Image
The libhostscan.dll library is vulnerable to DLL Hijacking (or Binary Planting). The library tries to load several DLLs that are not present in its location path. For example, IPHLPAPI.DLL.
This library is present in the web deployment of AnyConnect Posture in the %ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\Posture
path.
If AnyConnect Posture was installed using the pre deployment package, then the library is present in the %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib
path.
An attacker can exploit this vulnerability in conjunction with the previous one to avoid restarting the machine. The command that allows this is the priv_get_device_id command (opcode 0x60).
When the service receives this command, it tries to load the _libhostscan.dll _library from the lib
directory. Since this library is vulnerable to DLL Hijacking, an attacker can perform the following steps to escalate privileges without restarting the machine:
%ProgramFiles(x86)%\Cisco\Cisco HostScan\lib
directory). If the library is not present, then look for it in the Secure Mobility Client directory: %ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\Posture
\Cisco\Cisco HostScan
directory). The DLL must be named IPHLPAPI.DLL and it must export all the same functions as the original system DLL.Keep in mind that after every command, a _recv of size 0x2E28 (11816) _bytes must be performed for proper functioning.
Finally, the packet for the_ priv_get_device_id _command must have the following structure:
struct priv_get_device_id_packet {
DWORD packetLen; // Must be 0x2E24 - Big Endian
DWORD opcode; // Must be 0x60 - Little Endian
BYTE destination[11808]; // Padding
};
2020-08-30 – Vulnerability is discovered by Core Labs.
2020-09-07 - First contact made is to Cisco to report the vulnerability.
2020-09-07 - Response received from Cisco, advisory draft shared. Case created: PSIRT-0725204668
2020-09-14 - PoC is sent to Cisco.
2020-10-13 - Update from Cisco received stating that the development team is working on it. No timeframe for a fix is available at this time.
2020-11-05 - Update from Cisco received stating that the development team is still working on the fix. They expect to give a timeframe for the correction by the next week.
2020-11-13 - Update from Cisco received stating that the developers have confirmed that they were able to reproduce the issue, and work on the fix is ongoing. No specific dates for the release yet, but they will inform Core Labs as soon as these are available.
2020-12-21 - Update from Cisco received stating that the fix is ready and waiting to be integrated into a software release. The next release is planned for the end of January, so, if everything goes well, the security advisory publication is expected around mid-February. An update will be provided once the exact date is confirmed.
2020-01-11 - Update from Cisco received stating that the fix was already integrated as part of release 4.9.05042. The disclosure is scheduled for February 17th. (See the release notes.)
2020-01-11 – CVE number is requested and assigned: CVE-2021-1366.
2020-02-17 - Coordinated advisory is published. [2]
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright © 2021 Core Security and © 2021 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%