A security researcher has published an exploit for a Cisco vulnerability that was patched earlier this month.
The vulnerability, CVE-2023-20178, is a privilege escalation bug.
In its advisory, Cisco explained that “a vulnerability in the client update process of Cisco AnyConnect secure mobility client software for Windows, and Cisco Secure Client software for Windows, could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.
"The client update process is executed after a successful VPN connection is established," the vendor stated.
“This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process.
“An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process.
"A successful exploit could allow the attacker to execute code with SYSTEM privileges.”
Cisco attributed discovery of the vulnerability to Filip Dragovic, who has now posted a proof-of-concept to GitHub.
Dragovic said the problem exists in the vpndownloader.exe process, which updates the client software on launch.
The updater creates a temp directory which is deleted if there are no updates to run.
“This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account,” Dragovic wrote.
“Arbitrary file delete is then used to spawn system cmd processes by abusing windows installer behaviour."
The arbitrary delete can be used for privilege escalation, for example, by removing a high-privilege directory and creating a low-privilege directory with the same name, as the Zero Day Initiative describes in this article.