Product: Cisco Systems VPN Client
Reported by: Kyriakos Economou (@kyREcon)
Cisco Systems VPN Client is vulnerable to privilege escalation due to weak ACLs assigned to one of the files that store important configuration settings.
In particular, ‘vpnclient.ini’ file which keeps important configuration settings for the VPN Client, allows any logged on user (Guest included) to write to that file.
Since the VPN Client gives the option to setup an executable to run every time a user connects on a vpn server, and because this setting is stored inside the aforementioned .ini file, a local attacker can set his own program to run which will be executed every time another user, such as an Administrator, uses the VPN Client.
This setting can also be set from the ‘Options’ menu of the ‘vpngui.exe’ program and an example of the reflected changes in the ‘vpnclient.ini’ file would be:
[ApplicationLauncher] Enable=1 Command=C:\Users\Guest\Desktop\cmd2.exe
We tested this on the latest v5.x version (5.0.07.0440) that we managed to obtain.
However, earlier versions could also be affected by this issue.