How does a file delete become a file execution? By abusing a little-known feature of the Windows Installer service. If any files are found, it will delete them, but this action is performed with the NT Authority\SYSTEM account, the highest privileged account on Windows systems.Īttackers can easily exploit this action by using symlinks (shortcuts) to other files they create resulting in an arbitrary file delete issue. This process creates a directory in the c:\windows\temp folder with default permissions and checks to see if it has any files inside, for example from a previous update. Researcher Filip Dragovic, who found and reported the flaw to Cisco, explains in his proof-of-concept exploit posted on GitHub that every time a user establishes a VPN connection, the client software executes a file called vpndownloader.exe. The privilege escalation vulnerability Cisco patched earlier this month is tracked as CVE-2023-20178 and is caused by the update mechanism of Cisco An圜onnect Secure Mobility Client and Cisco Secure Client for Windows. Here is where local privilege escalation flaws come into play. That might be enough for basic data theft from the user's applications but won't allow for more sophisticated attacks like dumping local credentials stored in Windows that could potentially allow them to access other systems. If attackers manage to trick a user to execute a malicious program, that code will run with their limited privileges. However, this doesn't mean they are not serious or valuable for attackers, especially in a lateral movement context.Įmployees who have the Cisco An圜onnect client on their company-issued computers so they can access the organisation's network via VPN don't typically have administrator privileges on their systems. Local privilege escalation vulnerabilities are not rated with critical severity because they require an attacker to already have some access to execute code on the operating system.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws, tracked as CVE-2020-3433 and CVE-2020-3153, to its Known Exploited Vulnerabilities Catalog that all government agencies have a deadline to patch.
0 kommentar(er)
