Cisco Systems VPN Client allows local logon with Elevated Privileges
From: Nick Staff (Nick.Staff_at_FOX.COM)
Date: Wed, 14 May 2003 10:09:15 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Note: This is similar to the exploit where it's possible to log on to a
Windows machine as local system by making a copy of cmd.exe and naming
The Cisco VPN client can be configured to start before the Windows log
on in case a user needs to make a VPN connection before logging onto
their domain. To that same effect the Cisco VPN client can also be
configured to load a 3rd party application, like a dialer, to connect to
an ISP. By default these settings are not locked to standard users
because the configuration file responsible for holding these settings
(vpnclient.ini) is installed to a non-restricted path
To log onto their workstation as the local system a standard user would
simply need to configure their Cisco client to start up before windows
log on and launch explorer.exe - this would bring them to the desktop
where they could then do anything the local system could (add themselves
to the local admins group, change file permissions, etc).
Steps to Reproduce:
- Install any 3.x version of the Cisco Systems VPN Client (could be
other versions, but I've only tested using 3.x)
- Open the VPN Dialer.
- Select Options > Windows log on properties
- Make sure all three boxes are selected (you must select the first box
before the second box becomes active)
- Click OK and then go to Options > Properties
- Click on the connections tab and check the box next to 'Connect to the
Internet via dial-up'
- Select the radio button next to 3rd party dial-up application and
enter the full path and file name of explorer.exe (i.e.
- Click OK, Close, and then log out
Note - if your desktop doesn't appear right away and instead you just
get a 'welcome to windows' or 'configure you server' window, then close
them, press ctrl-alt-del, and click connect when the Cisco client opens
- then you will get the full desktop.
Edit the ginadll value located in the registry key
NT\CurrentVersion\Winlogon. Change the valuedata back to msgina.dll
(Cisco client changes it to csgina.dll).
Set the security on the vpnclient.ini file to deny write permission for
standard users (note this will prevent them from being able to import
additional connection entries or configure any options from within the
EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"
Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
network security, and TruSecure for a free breakfast seminar on "The Impact
of the Disappearing Perimeter." Learn how you can proactively protect your
organization against today's newest threats, including those from remote
users, business partners and wireless. To register, and to view the full
list of dates and cities, click below or call 1-888-396-8348.