Cisco AnyConnect CVE-2020–3153
Its a local privilege escalation vulnerability. If your cisco AnyConnect version is < 4.8.02042, then you are vulnerable to this privilege escalation through path traversal attack.
The vulnerability is a bit old but still effective. My tested AnyConnect version is 4.6.03049
Please note: The walkthrough is made to aware the community for patching the vulnerable anyconnect software as soon as possible because i have seen in many organizations still using vulnerable anyconnect software. Please don’t use it for malicious purpose.
As we can see there is no other user present in the Local Administrators group.
You can download the poc from the above link.
Just execute the POC from powershell. You will get a privileged shell. Enter command cd\ there.
You are now nt authority\system. Now you can do anything on the system.
You are taking your username to the local administrator group.
Alternate way:
Say you can not execute unknown .exe because of application whitelisting configured in place. In that case the following method will help you.
First you need to go to this folder. C:\Windows\Microsoft.Net\Framework64\v4.0.30319
There you will get MSBuild.exe
Now you need to point your CVE-2020–3153.xml file which you have already downloaded from github.
PS C:\Windows\Microsoft.Net\Framework64\v4.0.30319> .\MSBuild.exe C:\Users\Avi_Mahim\Downloads\CVE-2020–3153-master\CVE-
2020–3153-master\msbuild\CVE-2020–3153.xmlAfter execution you will get the shell with high privileges.
Notice Pic 5 now. As you can see the user is in the local administrators group now.
In this anyconnect version, I have also tested the latest cisco anyconnect vulnerability CVE-2023–20178 but i found its not working in this particular version.
Thanks hope you like it. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
