[AP] Cisco vpnclient buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Attached is the advisory, along with a link to a POC exploit.

Enjoy.

-- 
+ methodic >> [http://methodic.angrypacket.com] -- -
+ Cannot find nsabackdoor.dll. Please reinstall Windows.

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
author:       methodic <methodic@bigunz.angrypacket.com>
release date: 05/28/2002
homepage:     http://sec.angrypacket.com
advisory id:  0x0002

+-------------------- -- -
+ product information
+----------------- -- -
software:     Cisco vpnclient for Linux
vendor:       Cisco Systems
homepage:     http://www.cisco.com
description:
     "Cisco VPN client allows a user to connect to a Cisco VPN device
      using the Linux operating system."

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem:      Local root
affected:     vpnclient-linux-3.5.1.Rel-k9 and perhaps earlier versions
explaination: Any local user can gain root privileges via a buffer overflow
              in the 'connect' argument when a long profile name (520 bytes
              to own the eip) is specified and the executable is suid root.

              Cisco's install script installs vpnclient suid root by default,
              although it does advise administrators about the permissions
              set on vpnclient, and that they may wish to change them.
risk:         High
status:       Vendor was notified, and a fix is available
exploit:      http://sec.angrypacket.com/exploits/vpnKILLient.c
fix:          Upgrade your Cisco vpnclient software, or chmod -s vpnclient

+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
Additional help by:
     dmuz and vegac of AngryPacket security group, and shok of w00w00.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux