Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-20178 PoC — Cisco AnyConnect Secure Mobility Client for Windows 安全漏洞

Source
https://github.com/Wh04m1001/CVE-2023-20178
Associated Vulnerability
Title:Cisco AnyConnect Secure Mobility Client for Windows 安全漏洞 (CVE-2023-20178)
Description:A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.
Readme
# CVE-2023-20178

This is PoC for Arbitrary File Delete vulnerability in Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect  (tested on 4.10.06079).

![poc](https://github.com/Wh04m1001/CVE-2023-20178/assets/44291883/f64f2b03-3045-4b37-91a2-508b24aea2f9)

When a user connect to vpn, vpndownloader.exe process is started in background and it will create directory in c:\windows\temp with default permissions in following format:
<random numbers\>.tmp 
After creating this directory vpndownloader.exe will check if that directory is empty and if its not it will delete all files/directories in there.
This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.

Arbitrary file delete is then used to spwan system cmd process by abusing windows installer behaviour which is described in ZDI article https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks (discovered by @KLINIX5)

# Advisory 
  
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw
File Snapshot

 [4.0K]  /data/pocs/42dc3fdb5c756fcdcbab35827211ffde2ba5de73
├── [4.0K]  exploit
│   ├── [4.0K]  Project5
│   │   ├── [558K]  cmd.rbs
│   │   ├── [3.6K]  def.h
│   │   ├── [4.3K]  FileOpLock.cpp
│   │   ├── [ 986]  FileOpLock.h
│   │   ├── [ 12K]  main.cpp
│   │   ├── [184K]  Msi_Rollback.msi
│   │   ├── [1.5K]  Project5.vcxproj.filters
│   │   ├── [ 168]  Project5.vcxproj.user
│   │   ├── [6.8K]  Project5.vcxproj.xml
│   │   ├── [ 514]  resource.h
│   │   └── [1.6K]  resource.rc
│   └── [1.4K]  Project5.sln
└── [1.1K]  README.md

2 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →