Cisco VPN Client can be used to gain local administrator rights (All Versions, patched or otherwise)

From: Nick Staff (Nick.Staff_at_FOX.COM)
Date: 05/22/03

  • Next message: Sharad Ahlawat: "Re: Cisco VPN Client can be used to gain local administrator rights (All Versions, patched or otherwise)" 
    Date:         Thu, 22 May 2003 11:54:54 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    First, before getting into this exploit I think it's only fair to say
    that my last post, "Cisco Systems VPN Client allows local logon with
    Elevated Privileges" was as Cisco's representative Sharad Ahlawat said,
    outdated and already addressed (see following link):

    http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml

    That said, I was sufficiently enough embarrassed to see if I could get
    around their patched client, and here's how to do it:

    - Log on as a standard user.
    - Browse to the C:\winnt directory, right click on explorer.exe and
    choose copy.
    - Browse to C:\Program Files\Cisco Systems\VPN Client (the directory
    with ipsecdialer.exe) and paste a copy of explorer.exe into the folder.
    - Double click on ipsecdialer.exe and select options > Windows logon
    properties.
    - Click on the first box to "enable start before log on".
    - Click OK and Close.
    - Rename ipsecdialer.exe to ipsecdialer.ex_
    - Rename the copy of explorer.exe to ipsecdialer.exe
    - Close any open windows.
    - log out.
    - log back on as the same standard user.
    - Click okay on any error messages that appear.
    - DO NOT CLOSE THE EXPLORER WINDOW THAT IS OPEN.
    - At this point you may see your desktop or you may not (have had it
    happen both ways), but whatever the case, that Explorer window is open
    as local system and anything else you see is opened as the standard
    user.
    - In the open explorer window press the Up folder icon until you get to
    My computer.
    - Double click on Control Panel, then Administrative Tools, then
    Computer Management
    - Expand Local Users and Groups and add your Standard User account to
    the Local Administrators Group.

    The following steps are provided to return your machine to it's previous
    state (i.e. logging in without the client launching explorer)

    - Navigate to C:\Program Files\Cisco Systems\VPN Client and open the
    vpnclient.ini file
    - set runatlogon=0
    - Save the file and restart the machine (Ctrl-Alt-Del if no Start
    button)

    And to Verify the Changes took...

    Log on as the Standard user and do whatever you want.

    Cisco has been notified about this issue and has acknowledged it, but
    since asking for a week to test it further I have not heard from them
    again.

    Possible Issue/Workaround

    I can't code, but it would seem the file at fault is csgina.dll which is
    Cisco's replacement Gina that's installed automatically (and I assume is
    what allows the explorer window to be launched in the system process).
    Also, this exploit would be harder if not impossible were Cisco to
    secure their install folder, but unfortunately even if I have
    permissions set on the Program Files folder to only allow Users Read
    access the Cisco install creates a subfolder which grants the
    Interactive user Modify permissions. I think they do this because the
    program constantly re-encrypts the group authentication key which is
    stored in a text file in that directory.

    This has been Verified on Windows 2000 with SP3 and Windows 2003 Server
    with the newest version of the Cisco VPN client (as well as older
    versions too).

    Thanks,

    Nick Staff

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your FREE, NO OBLIGATION 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Sharad Ahlawat: "Re: Cisco VPN Client can be used to gain local administrator rights (All Versions, patched or otherwise)"