Cisco Systems VPN Client allows local logon with Elevated Privileges

From: Nick Staff (Nick.Staff_at_FOX.COM)
Date: 05/14/03

  • Next message: Henk van de Kamer: "Windows XP activation"
    Date:         Wed, 14 May 2003 10:09:15 -0700

    Note: This is similar to the exploit where it's possible to log on to a
    Windows machine as local system by making a copy of cmd.exe and naming
    it logon.scr.

    The Cisco VPN client can be configured to start before the Windows log
    on in case a user needs to make a VPN connection before logging onto
    their domain. To that same effect the Cisco VPN client can also be
    configured to load a 3rd party application, like a dialer, to connect to
    an ISP. By default these settings are not locked to standard users
    because the configuration file responsible for holding these settings
    (vpnclient.ini) is installed to a non-restricted path
    (systemdrive%\program files\CiscoVPN).

    To log onto their workstation as the local system a standard user would
    simply need to configure their Cisco client to start up before windows
    log on and launch explorer.exe - this would bring them to the desktop
    where they could then do anything the local system could (add themselves
    to the local admins group, change file permissions, etc).

    Steps to Reproduce:

    - Install any 3.x version of the Cisco Systems VPN Client (could be
    other versions, but I've only tested using 3.x)
    - Open the VPN Dialer.
    - Select Options > Windows log on properties
    - Make sure all three boxes are selected (you must select the first box
    before the second box becomes active)
    - Click OK and then go to Options > Properties
    - Click on the connections tab and check the box next to 'Connect to the
    Internet via dial-up'
    - Select the radio button next to 3rd party dial-up application and
    enter the full path and file name of explorer.exe (i.e.
    - Click OK, Close, and then log out

    Note - if your desktop doesn't appear right away and instead you just
    get a 'welcome to windows' or 'configure you server' window, then close
    them, press ctrl-alt-del, and click connect when the Cisco client opens
    - then you will get the full desktop.


    Edit the ginadll value located in the registry key
    NT\CurrentVersion\Winlogon. Change the valuedata back to msgina.dll
    (Cisco client changes it to csgina.dll).


    Set the security on the vpnclient.ini file to deny write permission for
    standard users (note this will prevent them from being able to import
    additional connection entries or configure any options from within the


    Nick Staff

    EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"

    Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
    network security, and TruSecure for a free breakfast seminar on "The Impact
    of the Disappearing Perimeter." Learn how you can proactively protect your
    organization against today's newest threats, including those from remote
    users, business partners and wireless. To register, and to view the full
    list of dates and cities, click below or call 1-888-396-8348.


  • Next message: Henk van de Kamer: "Windows XP activation"

    Relevant Pages

    • RE: Printing from Win9x clients stops
      ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    • RE: Fax service on W2003Sbs - client dont send fax
      ... follow the steps to Update the Windows Small Business Server ClientApps ... Please paste the full content of the file to the Newsgroup. ... Microsoft CSS Online Newsgroup Support ... >the same day I do a system restore to monday;-) and client can send fax. ...
    • RE: Windows 9X clients?
      ... Windows Server 2003 domain. ... Please install Directory Services Client on these Windows 98 systems. ...
    • Re: Changes in 2005.
      ... The client base I currently have makes transitioning to new technologies ... out over the UK which is Windows 2000 with SP4. ... > VS.NET 2003 does not compile to unmanaged code. ... > the JIT compiler handles the compilation to unmanaged code from IL. ...
    • Re: after installing KB011829 OWA is not working anymore
      ... Based on my research, after you install hotfix KB911829, I suggest we ... Profile WMI Provider to each client computer that is running Windows Vista ... If you are running the Premium Edition of Windows Small Business Server ...