Advisories - Research - Next Generation Security Software

High Risk Vulnerability in Cisco VPN Client (cvpnd.exe)

August 16th, 2007

=======
Summary
=======
Name: Permissively-ACLed cvpnd.exe allows interactive users to run
arbitrary binaries with Local System Privileges
Release Date: 16 August 2007
Reference: NGS00503
Discover: Dominic Beecher <dominic@ngssoftware.com>
Vendor: Cisco
Vendor Reference: cisco-sa-20070815-vpnclient
Systems Affected: All versions up to but not including 5.0.01.0600
Risk: High
Status: Published

========
TimeLine
========
Discovered: 18 May 2007
Released: 22 May 2007
Approved: 11 June 2007
Reported: 23 May 2007
Fixed: 15 August 2007
Published: 16 August 2007

===========
Description
===========
Impact: locally logged-on users of affected hosts can cause arbitrary
binaries to be executed in the context of Local System. This effectively
compromises the host.

=================
Technical Details
=================
Cisco’s VPN client for Windows installs a Windows service, the “Cisco
Systems, Inc. VPN Service” or CVPND, whose associated binary is
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. By default, the
CVPND service runs as Local System.

SERVICE_NAME: CVPND
TYPE               : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 0   IGNORE
BINARY_PATH_NAME   : “C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe”
LOAD_ORDER_GROUP   :
TAG                : 0
DISPLAY_NAME       : Cisco Systems, Inc. VPN Service
DEPENDENCIES       : TCPIP
SERVICE_START_NAME : LocalSystem

Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by
NT AUTHORITY\INTERACTIVE:C in the cacls output below.

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

This allows normal users who have logged on to a susceptible host to
move cvpnd.exe to another location, and substitute another binary for
cvpnd.exe. When the CVPND service restarts (e.g. on reboot), the
replaced cvpnd.exe will run in the context of Local System. This
effectively escalates users’ privileges, thereby compromising the host.

===============
Fix Information
===============
Upgrade to a fixed version of the Cisco VPN client: see Cisco’s advisory
at the URL below for more details.

http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml

Alternatively, as a workaround, revoke access rights for NT
AUTHORITY\INTERACTIVE from cvpnd.exe, e.g.:

C:\Program Files\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R “NT
AUTHORITY\INTERACTIVE”

–
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070