=======
Summary

Name: Cisco VPN Client Privilege Escalation
Release Date: 28 June 2011
Reference: NGS00051
Discoverer: Gavin Jones <[email protected]>
Vendor: Cisco
Vendor Reference:
Systems Affected: Cisco VPN client (Windows 64 Bit)
Risk: High
Status: Fixed

========
TimeLine

Discovered: 15 February 2011
Released: 15 February 2011
Approved: 15 February 2011
Reported: 22 February 2011
Fixed: 24 March 2011
Published: 28 June 2011

===========
Description

The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege escalation
vulnerability that allows non-privileged users to gain administrative privileges.

=================
Technical Details

Unprivileged users can execute arbitrary programs that run with the privileges of the
LocalSystem account by replacing the Cisco VPN Service executable with arbitrary executables.
This vulnerability exists because the default file permissions assigned during installation to
cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to
replace cvpnd.exe with any file.

Because the Cisco VPN Service is a Windows service running with LocalSystem privileges,
unprivileged users can easily elevate their privileges.

It is possible to work around this vulnerability without a software upgrade

The permissions applied to the file by default are shown below:

C:\ >cacls "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe"

C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe

BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\INTERACTIVE:F
NT AUTHORITY\SYSTEM:F

===============
Fix Information

An effective workaround for this vulnerability is to revoke access rights for NT
AUTHORITY\INTERACTIVE from cvpnd.exe. For example:

"C:\Program Files (x86)\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R "NT
AUTHORITY\INTERACTIVE"

NGS Secure Research
http://www.ngssecure.com