Cisco AnyConnect Posture (HostScan) Security Service CVE-2021-1366 Bypass

1. Advisory Information

Title: Cisco AnyConnect Posture (HostScan) Security Service CVE-2021-1366 Bypass
Advisory ID: CORE-2021-0002
Advisory URL:  https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-bypass
Date published: 2021-06-16
Date of last update: 2021-06-16
Vendors contacted: Cisco
Release mode: Coordinated release

2. Vulnerability Information

Class: Time-of-check Time-of-use (TOCTOU) Race Condition [CWE-367]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2021-1567

3. Vulnerability Description

Cisco is a multi-national conglomerate that develops, manufactures, and sells networking hardware, software, telecommunications equipment, and other high-technology services and products. Their product, the Cisco AnyConnect Secure Mobility Client, is a VPN that provides security for remote workers.

The AnyConnect Posture Module uses the HostScan application to enable the AnyConnect Secure Mobility Client to identify the operating system, antivirus, anti-spyware, and firewall software installed on the host. Posture assessment requires HostScan to be installed on the host.[1]

A vulnerability was found in Cisco AnyConnect Posture which allows an authenticated local user to elevate privileges and execute any application under the SYSTEM account. This can be achieved by using a Time-of-check Time-of-use (TOCTOU) Race Condition.

4. Vulnerable Packages

  • AnyConnect Posture 4.10.00093 for Windows (web and pre deployments installers).
  • AnyConnect Posture 4.9.06037 for Windows (web and pre deployments installers).
  • AnyConnect Posture 4.9.05042 for Windows (web and pre deployments installers).
  • Other products and versions might be affected but have not yet been tested.

5. Vendor Information, Solutions, and Workarounds

 Cisco has released a new version, AnyConnect 4.10.01075, which solves the reported issues.

6. Credits

This vulnerability was discovered and researched by Marcos Accossatto from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Pablo A. Zurro from the CoreLabs Advisories Team.

7. Technical Description / Proof of Concept Code

7.1 Time-of-check Time-of-use (TOCTOU) Race Condition

The Cisco Security Service Windows service of AnyConnect Posture (ciscod.exe) listens on localhost (127.0.0.1) port 1023. The service implements its own IPC (Inter Process Communication) mechanism, accepting commands given in a certain packet format.[2]

As a starting point, an attacker would exploit CVE-2021-1366, performing the following steps:

  1. Check if the libhostscan.dll library is present in the lib directory of Cisco HostScan. Specifically, the directory path should be:       %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib

    If the library is not present there, then look for it in the Secure Mobility Client directory:

    %ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\Posture

  2. Start the service’s executable file (ciscod.exe) in a suspended state.
  3. Perform a process hollowing of the suspended process and replace it with a process that sends the following three commands to 127.0.0.1:1023:
    1. A priv_file_copy command that will copy the libhostscan.dll library to the lib directory of Cisco HostScan (If the library already exists, it will be overwritten). Perform a recv of size 0x2E28 (11816) bytes.
    2. A second priv_file_copy command that will copy an attacker-controlled DLL to the lib directory of Cisco HostScan (The DLL must be placed inside a \Cisco\Cisco HostScan directory). The DLL must be named IPHLPAPI.DLL and it must export all the same functions as the original system DLL. Perform a recv of size 0x2E28 bytes.
    3. A priv_get_device_id command. A final recv of size 0x2E28 bytes can be performed, but it is not required.
  4. Resume the main thread of the replaced process.

Cisco’s fix for CVE-2021-1366 enforced digital signature verification in the priv_file_copy command. Once implemented, you should not be able to use it to copy files that are not digitally signed by Cisco.

However, a problem arises in the timeframe between the file’s signature verification and its copy time. An attacker can perform a race copy between a digitally signed library and one that is not signed into the location of the file that will be passed to the priv_file_copy command.

Once the race is won, the local privilege escalation can be triggered in the same way it is with CVE-2021-1366.

To exploit this vulnerability, an attacker must do the following:

  1. Copy the libhostscan.dll library into an attacker-controlled directory. Keep in mind that the directory name must end with \Cisco\Cisco HostScan. For example, the directory could be %TMP%\Cisco\Cisco HostScan.
  2. Copy a malicious library (i.e., IPHLPAPI1.DLL) into the same directory. This library will be loaded by the OS so it must export all the same functions as the original IPHLPAPI.DLL system DLL.
  3. Start an infinite copy of the libhostscan.dll library and the IPHLPAPI1.DLL library as the IPHLPAPI.DLL library inside the attacker-controlled directory.
  4. Start the service’s executable file (ciscod.exe) in a suspended state.
  5. Perform a process hollowing of the suspended process and replace it with a process that completes the following steps:
    1. Send a priv_file_copy command that will copy the libhostscan.dll library from the attacker-controlled directory to the %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib directory of Cisco HostScan (If the library already exists, it will be overwritten). Perform a recv of size 0x2E28 bytes. This step can be skipped, since the library is always present in the destination directory starting from AnyConnect Posture version 4.9.05042.
    2. Start a loop that will send a priv_file_copy command which will copy the IPHLPAPI.DLL library from the attacker-controlled directory to the %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib directory of Cisco HostScan. Perform a recv of size 0x2E28 bytes after each command. The loop should end when the copied library file is the same as the attacker controlled IPHLPAPI1.DLL library. This can be performed by using the MapFileAndCheckSum function or a hash function.
    3. Send a priv_get_device_id command to trigger the loading of libhostscan.dll (and thus of the IPHLPAPI.DLL library). A final recv of size 0x2E28 bytes can then be performed, but it is not required.
  6. Resume the main thread of the replaced process.
  7. End the infinite copying initiated in step 3.

8. Report Timeline

2021-02-23 – Vulnerability is discovered by Core Labs.

2021-02-26 – First contact is made with Cisco to report the vulnerability.

2021-03-04 – PoC is sent to Cisco.

2021-04-27 – Cisco estimates the release of a fix will be included in version 4.10 at the end of May and the disclosure for mid-June.

2021-05-20 – Cisco releases the fix in version 4.10.01075.

2021-06-02 – CVE code (CVE-2021-1567) and disclosure date (2021-06-16) are provided by Cisco.

2021-06-16 – Coordinated advisory is released.[3]

9. References

[1] https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-hostscan.pdf

[2] https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-local-privilege-escalation

[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-pos-dll-ff8j6dFv

10. About CoreLabs

CoreLabs, the research center of Core Security, by HelpSystems is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs

11. About Core Security

Core Security, by HelpSystems, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].

12. Disclaimer

The contents of this advisory are copyright (c) 2021 Core Security and (c) 2021 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:  http://creativecommons.org/licenses/by-nc-sa/3.0/us/