🥳 achievement unlocked!
Presenting at @defcon in front of a FULL room! 🤩 Thank you all so much for attending my talk! Amazing audience, amazing experience 🥰
🚨 📢 Big announcement ! 📢 🚨
I have been selected to present a talk on the main track of 🏴☠️ @defcon 31 🏴☠️ this August!
The title of my presentation is "Defeating VPN Always-On", a nice feature that you might have in your own organisation 😈
https://t.co/Y7TUBx6hxz
CVE-2020-27123 A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to read arbitrary files on the underlying operating system of an affected ... https://t.co/cmONLgSQse
My 3 vulns on AnyConnect (Windows) are public! CVE-2020-3433 (high, privesc https://t.co/J6OmZiy3Qx), CVE-2020-3434 (medium, DoS https://t.co/Pz5LQCR5ez) and CVE-2020-3435 (medium, Always-On bypass https://t.co/LoeczkJBY1). Patch it! Full details & exploits soon ;)
Thanks to @rapid7 's work (@n00tmeg ) on the @metasploit module for CVE-2020-3153 (@yorickkoster), my own MSF module for the new CVE-2020-3433 I discovered (Windows privesc on AnyConnect < 4.9.00086) is ready! Update before the exploit gets public ;)
@_th3y@HackingLZ Sure! You can read @serializingme posts that could help you to understand AnyConnect’s IPC protocol (https://t.co/A8e1Y3ais1 and https://t.co/QqBMk1O0YM). I also wrote a post on a privesc on AnyConnect: CVE-2020-3153 (discovered by @yorickkoster) https://t.co/reO88J9Bny
I have released my exploit for CVE-2020-3153 - Cisco AnyConnect privilege escalation through path traversal https://t.co/1xSxJUjhuJ
My notes on this vuln: https://t.co/reO88J9Bny
Kudos to @yorickkoster for the advisory & for the -ipc help!
Thank you @maxime_tz for the diagrams!
@nixhacker@yorickkoster@jarsnah12 I mainly used ProcMon / Wireshark during real auto-updates (4.5.02036 to 4.6.03049) of AnyConnect to understand normal behavior of the sofware.
A disasembler can be helpful to identify args.
FYI, AnyConnect logs a lot of information that you can read in Windows Event Viewer.