Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Proof of concept. Show all posts

New Exploit Unleashed for Cisco AnyConnect Bug Granting SYSTEM Privileges

Proof-of-concept (PoC) exploit code has been released for a significant vulnerability found in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw allows attackers to elevate their privileges to the SYSTEM level. Cisco Secure Client is a VPN software that enables employees to work remotely while ensuring a secure connection and providing network administrators with telemetry and endpoint management capabilities.

The vulnerability, identified as CVE-2023-20178, enables authenticated threat actors to escalate their privileges to the SYSTEM account without requiring complex attacks or user interaction. Exploiting this flaw involves manipulating a specific function within the Windows installer process.

To address this security issue, Cisco issued security updates on the previous Tuesday. The company's Product Security Incident Response Team (PSIRT) stated that there was no evidence of any malicious activities or public exploit code targeting the vulnerability at that time.

The fix for CVE-2023-20178 was included in the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

Recently, security researcher Filip Dragović discovered and reported the Arbitrary File Delete vulnerability to Cisco. This week, Dragović published a PoC exploit code, which was tested against Cisco Secure Client (version 5.0.01242) and Cisco AnyConnect (version 4.10.06079).

Dragović explains that when a user establishes a VPN connection, the vpndownloader.exe process starts in the background and creates a directory in the format "<random numbers>.tmp" within the c:\windows\temp directory. By taking advantage of default permissions, an attacker can abuse this behavior to perform arbitrary file deletion using the NT Authority\SYSTEM account.

The attacker can further leverage this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection to spawn a SYSTEM shell, thus escalating their privileges. The technique for privilege escalation is described in detail.

It's worth noting that in October, Cisco urged customers to patch two additional security flaws in AnyConnect, which had public exploit code available and had been fixed three years earlier due to active exploitation. Furthermore, in May 2021, Cisco patched an AnyConnect zero-day vulnerability with public exploit code, following its initial disclosure in November 2020.

PoC Published for Windows Win32k Flaw Exploited in Assaults

 

For a Windows local privilege escalation vulnerability that was patched as part of the May 2023 Patch Tuesday, researchers have published a proof-of-concept (PoC) exploit. 

The Win32k subsystem (Win32k.sys kernel driver) controls the operating system's window manager and handles screen output, input, and graphics in addition to serving as an interface for various types of input hardware. Since they usually grant elevated rights or code execution, these kinds of vulnerabilities are often exploited. 

Avast, a company that specialises in cybersecurity, first identified the flaw, which is tracked as CVE-2023-29336. It was given a CVSS v3.1 severity rating of 7.8, as it enables low-privileged users to obtain Windows SYSTEM privileges, the highest user mode privileges in Windows. 

CISA also released a warning and listed it in its database of "Known Exploited Vulnerabilities" in order to inform people about the actively exploited vulnerability and the importance of installing Windows security upgrades. 

Security researchers at Web3 cybersecurity company Numen have now published comprehensive technical information on the CVE-2023-29336 bug and a Proof of Concept exploit for Windows Server 2016 exactly one month after the patch became accessible. 

Re-discovering the vulnerability 

Although the flaw is being actively used against previous versions of Windows, including Windows 8, Windows Server, and earlier versions of Windows 10, Microsoft claims that Windows 11 is unaffected. 

"While this vulnerability seems to be non-exploitable on the Win11 system version, it poses a significant risk to earlier systems," Numen explained in their report. "Exploitation of such vulnerabilities has a notorious track record, and in this in-depth analysis, we delve into the methods employed by threat actors to exploit this specific vulnerability, taking into account evolving mitigation measures."

Win32k only locks the window object but fails to lock the nested menu object, according to Numen's researchers who examined the vulnerability on Windows Server 2016. 

This oversight, which the researchers attribute to out-of-date code being transferred to more recent Win32k versions, makes menu objects susceptible to manipulation or hijacking if attackers change the precise address in the system memory.

Even if the initial step doesn't provide attackers admin-level rights, it serves as a useful stepping stone to enable them to obtain this via the following steps. Controlling the menu object means gaining the same-level access as the programme that launched it. Overall, it can be said that it's not extremely difficult to exploit CVE-2023-29336.

"Apart from diligently exploring different methods to gain control over the first write operation using the reoccupied data from freed memory, there is typically no need for novel exploitation techniques," the report further reads. "This type of vulnerability heavily relies on leaked desktop heap handle addresses […], and if this issue is not thoroughly addressed, it remains a security risk for older systems." 

System administrators, according to Numen, should watch out for unusual offset reads and writes in memory or connected to window objects, as these could point to active CVE-2023-29336 privilege escalation.

Applying the May 2023 patch is advised for all Windows users as it corrected two additional active zero-day vulnerabilities in addition to the specific issue.

Critical CryptoAPI Spoofing Flaw in Windows PoC Exploit Released

 

Proof-of-concept (Poc) code has been made available for a high-severity security vulnerability in the Windows CryptoAPI that Microsoft was notified of by the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) last year. 

The CVE-2022-34689 spoofing vulnerability, with a CVSS score of 7.5, was fixed by the tech giant as part of Patch Tuesday updates delivered in August 2022, although it wasn't made public until October 11, 2022. 

In a then-released advisory, Microsoft warned that "an attacker might alter an existing public x.509 certificate to impersonate their identity and conduct actions such as authentication or code signing as the targeted certificate." 

The Windows CryptoAPI provides an interface for programmers to integrate cryptographic services, including as data encryption and decryption and digital certificate authentication, into their programmes.

CVE-2022-34689, according to web security firm Akamai, which published the proof-of-concept, was caused by a vulnerable piece of code that was intended to accept an x.509 certificate and conducted a check that only considered the certificate's MD5 fingerprint. 

As of December 2008, birthday attacks, a cryptanalytic technique used to identify collisions in a hash function, made it possible for MD5, a message-digest algorithm used for hashing, to be practically cryptographically broken. 

A bad actor might use this flaw to provide a modified version of a genuine certificate to a victim app, then construct a new certificate whose MD5 hash collides with the compromised certificate and use it to pose as the original entity. 

In other words, the vulnerability could be exploited by a malicious third party to launch a mallory-in-the-middle (MitM) attack and reroute users using an outdated version of Google Chrome (version 48 and earlier) to any website of the attacker's choosing simply because the vulnerable web browser trusts the malicious certificate. 

"Certificates play a major role in identity verification online, making this vulnerability lucrative for attackers," Akamai stated.

The Massachusetts-based company noted that despite the flaw's limited reach, "there is still a lot of code that utilises this API and might be susceptible to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7."

A New LPE Zero-day Vulnerability Affected All Windows Versions

 

A security researcher has revealed technical specifics about a zero-day privilege elevation vulnerability in Windows, as well as a public proof-of-concept (PoC) attack that grants SYSTEM rights under specific settings. 

The good news is that because the exploit needs a threat actor to know another user's user name and password in order to trigger the vulnerability, it is unlikely to be extensively employed in attacks. The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. 

In August, Microsoft announced a security patch for a "Windows User Profile Service Elevation of Privilege Vulnerability" identified as CVE-2021-34484 by security researcher Abdelhamid Naceri. After investigating the fix, Naceri discovered that it was insufficient and he was able to circumvent it with a new exploit that he disclosed on GitHub. 

Naceria explained in a technical writeup about the vulnerability and the new bypass, "Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction. But as I see from the ZDI advisory and Microsoft patch, the bug was metered as an arbitrary directory deletion bug. Microsoft didn’t patch what was provided in the report but the impact of the PoC. Since the PoC I wrote before was horrible, it could only reproduce a directory deletion bug." 

According to Naceri, since they just rectified the symptom of his bug report and not the root cause, he could rewrite his exploit to establish a junction somewhere and still accomplish privilege elevation. This exploit will open an elevated command prompt with SYSTEM privileges while the User Account Control (UAC) prompt is shown. 

Will Dormann, a CERT/CC vulnerability analyst, examined the vulnerability and discovered that, while it functioned, it was temperamental and did not always establish the elevated command prompt. 

Dormann told BleepingComputer, "Definitely still a problem. And there may be scenarios where it can be abused. But the 2 account requirement probably puts it in the boat of NOT being something that will have widespread use in the wild." 

However, Naceri told BleepingComputer that a threat actor essentially requires another domain account to exploit the vulnerability, thus it is still a cause for concern. 

A Microsoft spokesperson stated, “We are aware of the report and will take appropriate action to keep customers protected.”