CVE-2021-1366 PoC — Cisco Anyconnect Secure Mobility Client 代码问题漏洞

Source

https://github.com/koztkozt/CVE-2021-1366

Associated Vulnerability

Title:Cisco Anyconnect Secure Mobility Client 代码问题漏洞 (CVE-2021-1366)
Description:Cisco Anyconnect Secure Mobility Client是美国思科（Cisco）公司的一款用于安全连接的VPN客户端软件。 Cisco AnyConnect Secure Mobility Client中存在代码问题漏洞，该漏洞源于网络系统或产品未充分验证数据的来源或真实性。攻击者可利用伪造的数据进行攻击。

Description

Cisco AnyConnect Posture (HostScan) Local Privilege Escalation: CVE-2021-1366

Readme

# CVE-2021-1366
Cisco AnyConnect Posture (HostScan) Local Privilege Escalation: CVE-2021-1366
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client.\
This POC sends 2 `priv_file_copy ` IPC commands to the Cisco Security Service `ciscod.exe` to copy 2 DLLs to the `C:\Program Files(x86)\Cisco\Cisco HostScan\bin\` directory. Upon the restart of the Cisco Security Service, `ciscod.exe` loads the malicious dbghelp.dll (using DLL proxying). 
 
## Prerequisites
* Create a `Cisco\Cisco HostScan` directory in the `%TEMP%` folder
* Create a malicious DLL that will be used for DLL proxying (see [https://itm4n.github.io/dll-proxying/](https://itm4n.github.io/dll-proxying/))
* Name the dll as `dbghelp.dll` and copy it to the folder `%TEMP%\Cisco\Cisco HostScan`
* Copy the Windows original `"C:\Windows\SysWOW64\dbghelp.dll"` to the folder `%TEMP%\Cisco\Cisco HostScan` and rename it to `dbghelp_orig.dll`
* Prepare a process hollowing tool (e.g. [https://github.com/ivkin25/Process-Hollowing](https://github.com/ivkin25/Process-Hollowing))

## Instructions
* Compile this POC
* Run the following command which will perform a process hollowing of `ciscod.exe` and replace it with this POC process that sends the 2 IPC commands
```
ProcessHollowing.exe C:\Program Files(x86)\Cisco\Cisco HostScan\bin\ciscod.exe CVE-2021-1366.exe
```
* 2 DLLs, `dbghelp.dll` and `dbghelp_orig.dll`, should be copied to `C:\Program Files(x86)\Cisco\Cisco HostScan\bin\`
* Restart the service and wait for the malicious DLL to be loaded

# References
[https://www.coresecurity.com/core-labs/articles/analysis-cisco-anyconnect-posture-hostscan-local-privilege-escalation-cve-2021](https://www.coresecurity.com/core-labs/articles/analysis-cisco-anyconnect-posture-hostscan-local-privilege-escalation-cve-2021)\
[https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-local-privilege-escalation](https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-local-privilege-escalation)\
[https://itm4n.github.io/dll-proxying/](https://itm4n.github.io/dll-proxying/)\
[https://github.com/ivkin25/Process-Hollowing](https://github.com/ivkin25/Process-Hollowing)

File Snapshot


 [4.0K]  /data/pocs/bb2971cfe24bf130f247d85b28805ccbd03be5db
├── [4.0K]  CVE-2021-1366
│   ├── [4.5K]  CVE-2021-1366.cpp
│   ├── [6.5K]  CVE-2021-1366.vcxproj
│   ├── [ 986]  CVE-2021-1366.vcxproj.filters
│   └── [ 168]  CVE-2021-1366.vcxproj.user
├── [1.4K]  CVE-2021-1366.sln
└── [2.4K]  README.md

1 directory, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!