Cisco AnyConnect elevation of privileges via DMG install script

Abstract

Cisco AnyConnect Secure Mobility Client for OS X is affected by a vulnerability that allows local attackers to mount arbitrary DMG files at arbitrary mount points. By exploiting this vulnerability is is possible for the attacker to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux.

See also

Tested version

This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for OS X version 3.1.08009.

Fix

Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html.

Cisco has released bug ID CSCuv11947 for registered users, which contains additional details and an up-to-date list of affected product versions.

Introduction

Last June, a blog post was published by Kostya Kortchinsky detailing an elevation of privileges vulnerability in Cisco AnyConnect Secure Mobility Client for Windows. This vulnerability allowed an unprivileged user to invoke any binary signed by Cisco, which would be executed with SYSTEM privileges. This could be abused to install an arbitrary interactive service and consequently granting a local user SYSTEM privileges.

It was found that the OS X version of AnyConnect is affected by a similar vulnerability. On OS X it is possible for a local unprivileged user to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux.

Vulnerability details

Cisco AnyConnect comes with a system service listening on the loopback interface. It allows for local processes to connect to it and send commands to it. One command is interesting as it can be used to invoke executables with elevated privileges. AnyConnect restricts which executables can be invoked to prevent a local attacker from gaining elevated privileges.

One of the executables that can be invoked is install-dmg.sh, which is located in /opt/cisco/anyconnect/bin/vpndownloader.app/Contents/Resources/. This script allows a PKG file, located in a DMG file, to be installed as root. PKG files are only installed if they are named:

  • vpn.pkg
  • posture.pkg
  • dart.pkg
  • websecurity.pkg

In theory an attacker could create a DMG file containing a specially crafted PKG file that can be installed via AnyConnect. However, the script appears to be broken. After the DMG file is mounted, its path is supplied to the installer program. The path is however prepended with a new-line character that cause installer to throw an error - instead of installing the PKG file.

The command for mounting the DMG contains a flaw, which still allows a local attacker to abuse the script and gain root privileges. The flaw exists in the following command:

HDIDOUT=`hdiutil attach **${DMG}** -nobrowse` || exit 1

The ${DMG} variable contains user-supplied input. Using a space character it is possible to add extra arguments to the hdiutil attach command. Consequently an attacker can mount a DMG file at an arbitrary mount point. Due to this it is possible to change the system's configuration and gain root privileges.

Proof of concept

The following proof of concept will start a root shell on an affected system using the following steps:

  • create a DMG file containing a sudoers file that allows anyone in the everyone group to invoke sudo without providing a password.
  • execute install-dmg.sh with the DMG file as argument.
  • abuse the hdiutil attach flaw to mount the DMG file to /private/etc
  • execute sudo to gain root privileges.

anyconnect-eop-install-dmg.c

Questions or feedback?