The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[AP] Cisco vpnclient buffer overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 19 Jun 2002 08:50:13 -0700
From: methodic <methodic@bigunz.angrypacket.com.>
To: [email protected]
Subject: [AP] Cisco vpnclient buffer overflow

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Attached is the advisory, along with a link to a POC exploit.

Enjoy.

-- 
+ methodic >> [http://methodic.angrypacket.com&#093; -- -
+ Cannot find nsabackdoor.dll. Please reinstall Windows.

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0002_AP.vpnclient.txt"

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -


+--------------------- -- -
+ advisory information
+------------------ -- -
author:       methodic <methodic@bigunz.angrypacket.com.>
release date: 05/28/2002
homepage:     http://sec.angrypacket.com
advisory id:  0x0002

+-------------------- -- -
+ product information
+----------------- -- -
software:     Cisco vpnclient for Linux
vendor:       Cisco Systems
homepage:     http://www.cisco.com
description:
     "Cisco VPN client allows a user to connect to a Cisco VPN device
      using the Linux operating system."

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem:      Local root
affected:     vpnclient-linux-3.5.1.Rel-k9 and perhaps earlier versions
explaination: Any local user can gain root privileges via a buffer overflow
              in the 'connect' argument when a long profile name (520 bytes
              to own the eip) is specified and the executable is suid root.

              Cisco's install script installs vpnclient suid root by default,
              although it does advise administrators about the permissions
              set on vpnclient, and that they may wish to change them.
risk:         High
status:       Vendor was notified, and a fix is available
exploit:      http://sec.angrypacket.com/exploits/vpnKILLient.c
fix:          Upgrade your Cisco vpnclient software, or chmod -s vpnclient

+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
Additional help by:
     dmuz and vegac of AngryPacket security group, and shok of w00w00.

+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.

                  - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                  - -- ------------------------- -- -


--gKMricLos+KVdGMg--


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру