Cisco AnyConnect Posture (HostScan) Security Service Multiple Vulnerabilities

1. Advisory Information 

Title: Cisco AnyConnect Posture (HostScan) Security Service Multiple Vulnerabilities 
Advisory ID: CORE-2021-0001 
Advisory URL:https://www.coresecurity.com/core-labs/advisories/cisco-anyconnect-posture-hostscan-security-service-local-privilege-escalation  
Date published: 2021-02-17 
Date of last update: 2020-02-17 
Vendors contacted:Cisco 
Release mode: Coordinated release

2. Vulnerability Information 

Class: Improper Access Control [CWE-284], Uncontrolled Search Path Element [CWE-427
Impact: Code execution 
Remotely Exploitable: No 
Locally Exploitable: Yes 
CVE Name:CVE-2021-1366 

3. Vulnerability Description 

Cisco is a multi-national conglomerate that develops, manufactures and sells networking hardware, software, telecommunications equipment and other high-technology services and products. Their product, the Cisco AnyConnect Secure Mobility Client, is a VPN that provides security for remote workers.

The AnyConnect Posture Module uses the HostScan application to enable the AnyConnect Secure Mobility Client to identify the operating system, antivirus, anti-spyware, and firewall software installed on the host. Posture assessment requires HostScan to be installed on the host.[1] 

Multiple vulnerabilities were found in Cisco AnyConnect Posture. These vulnerabilities allow an authenticated local user to elevate privileges and execute any application under the SYSTEM account. This can be achieved in several ways due to the nature of the vulnerabilities. 

4. Vulnerable Packages 

  • AnyConnect Posture 4.9.01095 for Windows (web and pre deployments installers). 
  • Other products and versions might be affected but have not yet been tested. 

5. Vendor Information, Solutions, and Workarounds 

Cisco has released a new version, AnyConnect 4.9.05042, which fixes the reported issues.

6. Credits 

This vulnerability was discovered and researched by Marcos Accossatto from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Pablo A. Zurro from the CoreLabs Advisories Team.

7. Technical Description / Proof of Concept Code 

7.1 Improper Access Control 

The Cisco Security Service Windows service of AnyConnect Posture (ciscod.exe) listens on localhost (127.0.0.1) port 1023, waiting for local peers connections. 

Once a local peer connects, the executable file corresponding to the local client’s PID (Process ID) is located by using the GetExtendedTcpTable function from the Iphlpapi.dll library. After that, the connecting process is checked to verify that it is signed by “Cisco Systems, Inc.”. 

If the signature check is correct, then the command is processed. The analysis of the process_ipc_message function shows that this function checks if the first DWORD (4 bytes) of the packet has the 0x2E24 (11812) value. This value is then interpreted as the total length of the following data. So, the size of a command packet is always 0x2E28 (11816) bytes. 

Then, the following DWORD is taken from the packet and compared with the list of available commands: 

  • priv_file_copy (opcode 0x20) 
  • priv_file_rename (opcode 0x23) 
  • priv_file_make_executable (opcode 0x22) 
  • priv_dir_create (opcode 0x21) 
  • priv_enable_firewall (opcode 0x31) 
  • priv_disable_firewall (opcode 0x32) 
  • priv_add_firewall_rule (opcode 0x33) 
  • priv_get_firewall_status (opcode 0x34) 
  • priv_enable_antimalware (opcode 0x40) 
  • priv_update_antimalware (opcode 0x41) 
  • priv_check_rtp_antimalware (opcode 0x42) 
  • priv_get_def_date_antimalware (opcode 0x43) 
  • priv_get_version_antimalware (opcode 0x44) 
  • priv_proc_path (opcode 0x50) 
  • priv_get_device_id (opcode 0x60) 

The command priv_file_copy can copy a file from any location to a subdirectory within the %ProgramFiles(x86)%\Cisco\Cisco HostScan directory. The function checks for directory traversal (“..”) so it is not possible to escape that directory. Also, the source file must be inside a \Cisco\Cisco HostScan directory. 

Since the previous command can copy any file to any directory inside %ProgramFiles(x86)%\Cisco\Cisco HostScan, an attacker could copy a library to the \bin directory. When the service is started, that library can be loaded and executed (DLL Hijacking). There are several library names that can be used, one example being Dbghelp.dll. 

The digital signature check can be bypassed by running a signed executable by Cisco in a suspended state. Then performing a Process Hollowing by replacing the original code with the attacker’s code, will allow the attacker to send any of the described commands.

This means a local attacker can escalate privileges. The following proof of concept demonstrates the vulnerability: 

  1. Start an executable signed by “Cisco Systems, Inc.” in a suspended state. The service’s executable file (ciscod.exe) is a good candidate for this. 
  1. Perform a process hollowing of the signed process and replace it with a process in order to send a priv_file_copy command message (to 127.0.0.1:1023). The command should be created so it will perform the copy of an attacker-controlled DLL to the bin directory of Cisco HostScan (the directory where ciscod.exe is located). 
  1. Resume the main thread of the process hollowing.  
  1. Restart the machine. 

The structure of the packet for the priv_file_copy command is: 

struct priv_file_copy_packet { 
    DWORD packetLen; // Must be 0x2E24 - Big Endian 
    DWORD opcode; // Must be 0x20 - Little Endian 
    DWORD padding; // Anything 
    BYTE source[1024]; // Null terminated string with the full path to source file. 
    Must be inside a \Cisco\Cisco HostScan directory 
    BYTE destination[10780]; // Null terminated string with the full path to destination file. 
    Must point inside of %ProgramFiles(x86)%\Cisco\Cisco HostScan directory 
}; 

As an example, if the attacker’s DLL is located in C:\Users\McFly\AppData\Local\Temp\Cisco\Cisco HostScan\MyDLL.dll (the DLL must be inside a \Cisco\Cisco HostScan subdirectory) and the attack is performed on a Windows 64-bit Operating System, then the packet will have the following structure:

Image
Windows 64-bit Operating System packet structure

7.2 Uncontrolled Search Path Element 

The libhostscan.dll library is vulnerable to DLL Hijacking (or Binary Planting). The library tries to load several DLLs that are not present in its location path. For example, IPHLPAPI.DLL. 

This library is present in the web deployment of AnyConnect Posture in the %ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\Posture path. 

If AnyConnect Posture was installed using the pre deployment package, then the library is present in the %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib path.

An attacker can exploit this vulnerability in conjunction with the previous one to avoid restarting the machine. The command that allows this is the priv_get_device_id command (opcode 0x60). 

When the service receives this command, it tries to load the libhostscan.dll library from the lib directory. Since this library is vulnerable to DLL Hijacking, an attacker can perform the following steps to escalate privileges without restarting the machine: 

  1. Check if the libhostscan.dll library is present in the lib directory of Cisco HostScan (That is the %ProgramFiles(x86)%\Cisco\Cisco HostScan\lib directory). If the library is not present, then look for it in the Secure Mobility Client directory: %ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\Posture 
  1. Start the service’s executable file (ciscod.exe) in a suspended state. 
  1. Perform a process hollowing of the suspended process and replace it with a process that sends the 3 following commands to 127.0.0.1:1023: 
  • A priv_file_copy command that will copy the libhostscan.dll library to the lib directory of Cisco HostScan (If the library already exists, it will be overwritten). 
  • A second priv_file_copy command that will copy an attacker-controlled DLL to the lib directory of Cisco HostScan (The DLL must be placed inside a \Cisco\Cisco HostScan directory). The DLL must be named IPHLPAPI.DLL and it must export all the same functions as the original system DLL. 
  • A priv_get_device_id command. 

          Keep in mind that after every command, a recv of size 0x2E28 (11816) bytes must be performed for proper functioning. 

  1. Resume the main thread of the replaced process. 

Finally, the packet for the priv_get_device_id command must have the following structure: 

struct priv_get_device_id_packet { 
    DWORD packetLen; // Must be 0x2E24 - Big Endian 
    DWORD opcode; // Must be 0x60 - Little Endian 
    BYTE destination[11808]; // Padding 
}; 

8. Report Timeline 

2020-08-30 – Vulnerability is discovered by Core Labs.

2020-09-07 - First contact made is to Cisco to report the vulnerability.

2020-09-07 - Response received from Cisco, advisory draft shared. Case created: PSIRT-0725204668 

2020-09-14 - PoC is sent to Cisco.

2020-10-13 - Update from Cisco received stating that the development team is working on it. No timeframe for a fix is available at this time. 

2020-11-05 - Update from Cisco received stating that the development team is still working on the fix. They expect to give a timeframe for the correction by the next week. 

2020-11-13 - Update from Cisco received stating that the developers have confirmed that they were able to reproduce the issue, and work on the fix is ongoing. No specific dates for the release yet, but they will inform Core Labs as soon as these are available. 

2020-12-21 - Update from Cisco received stating that the fix is ready and waiting to be integrated into a software release. The next release is planned for the end of January, so, if everything goes well, the security advisory publication is expected around mid-February. An update will be provided once the exact date is confirmed. 

2020-01-11 - Update from Cisco received stating that the fix was already integrated as part of release 4.9.05042. The disclosure is scheduled for February 17th. (See the release notes.)

2020-01-11 – CVE number is requested and assigned: CVE-2021-1366

2020-02-17 - Coordinated advisory is published. [2]

9. References 

[1] https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-hostscan.pdf 

[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-hijac-JrcTOQMC 

10. About CoreLabs 

CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.   

11. About Core Security 

Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].

12. Disclaimer 

The contents of this advisory are copyright (c) 2021 Core Security and (c) 2021 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:  http://creativecommons.org/licenses/by-nc-sa/3.0/us/