Date: Wed, 19 Jun 2002 08:50:13 -0700
From: methodic <methodic@bigunz.angrypacket.com.>
To: bugtraq@securityfocus.com
Subject: [AP] Cisco vpnclient buffer overflow
--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Attached is the advisory, along with a link to a POC exploit.
Enjoy.
--
+ methodic >> [http://methodic.angrypacket.com] -- -
+ Cannot find nsabackdoor.dll. Please reinstall Windows.
--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0002_AP.vpnclient.txt"
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
+--------------------- -- -
+ advisory information
+------------------ -- -
author: methodic <methodic@bigunz.angrypacket.com.>
release date: 05/28/2002
homepage: http://sec.angrypacket.com
advisory id: 0x0002
+-------------------- -- -
+ product information
+----------------- -- -
software: Cisco vpnclient for Linux
vendor: Cisco Systems
homepage: http://www.cisco.com
description:
"Cisco VPN client allows a user to connect to a Cisco VPN device
using the Linux operating system."
+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem: Local root
affected: vpnclient-linux-3.5.1.Rel-k9 and perhaps earlier versions
explaination: Any local user can gain root privileges via a buffer overflow
in the 'connect' argument when a long profile name (520 bytes
to own the eip) is specified and the executable is suid root.
Cisco's install script installs vpnclient suid root by default,
although it does advise administrators about the permissions
set on vpnclient, and that they may wish to change them.
risk: High
status: Vendor was notified, and a fix is available
exploit: http://sec.angrypacket.com/exploits/vpnKILLient.c
fix: Upgrade your Cisco vpnclient software, or chmod -s vpnclient
+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
Additional help by:
dmuz and vegac of AngryPacket security group, and shok of w00w00.
+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
--gKMricLos+KVdGMg--
