Cisco Backdoor
I had this email forward to me today it may be of relevence to network admins and those studying Cisco.
From the e-mail
First, before getting into this exploit I think it's only fair to say
that my last post, "Cisco Systems VPN Client allows local logon with
Elevated Privileges" was as Cisco's representative Sharad Ahlawat said,
outdated and already addressed (see following link):
http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml
That said, I was sufficiently enough embarrassed to see if I could get
around their patched client, and here's how to do it:
- Log on as a standard user.
- Browse to the C:\winnt directory, right click on explorer.exe and
choose copy.
- Browse to C:\Program Files\Cisco Systems\VPN Client (the directory
with ipsecdialer.exe) and paste a copy of explorer.exe into the folder.
- Double click on ip!
secdialer.exe and select options > Windows logon
properties.
- Click on the first box to "enable start before log on".
- Click OK and Close.
- Rename ipsecdialer.exe to ipsecdialer.ex_
- Rename the copy of explorer.exe to ipsecdialer.exe
- Close any open windows.
- log out.
- log back on as the same standard user.
- Click okay on any error messages that appear.
- DO NOT CLOSE THE EXPLORER WINDOW THAT IS OPEN.
- At this point you may see your desktop or you may not (have had it
happen both ways), but whatever the case, that Explorer window is open
as local system and anything else you see is opened as the standard
user.
- In the open explorer window press the Up folder icon until you get to
My computer.
- Double click on Control Panel, then Administrative Tools, then
Computer Management
- Expand Local Users and Groups and add your Standard User account to
the Local Administrators Group.
The following steps are provided to return your machine to it's prev!
ious
state (i.e. logging in without the client launching explorer)
- Navigate to C:\Program Files\Cisco Systems\VPN Client and open the
vpnclient.ini file
- set runatlogon=0
- Save the file and restart the machine (Ctrl-Alt-Del if no Start
button)
And to Verify the Changes took...
Log on as the Standard user and do whatever you want.
Cisco has been notified about this issue and has acknowledged it, but
since asking for a week to test it further I have not heard from them
again.
Possible Issue/Workaround
I can't code, but it would seem the file at fault is csgina.dll which is
Cisco's replacement Gina that's installed automatically (and I assume is
what allows the explorer window to be launched in the system process).
Also, this exploit would be harder if not impossible were Cisco to
secure their install folder, but unfortunately even if I have
permissions set on the Program Files folder to only allow Users Read
access the Cisco install creat!
es a subfolder which grants the
Interactive user Modify permissions. I think they do this because the
program constantly re-encrypts the group authentication key which is
stored in a text file in that directory.
This has been Verified on Windows 2000 with SP3 and Windows 2003 Server
with the newest version of the Cisco VPN client (as well as older
versions too).
Thanks,
Nick Staff
- Login to post comments