(If the library already exists, it will be overwritten.)
There are several library names that can be used, for example Dbghelp.dll:įigure 12: imported functions of libhostscan.dll
Since the previous command allows us to copy any file to any directory inside %PROGRAMFILES%\Cisco\Cisco HostScan, we could copy a library to the \bin directory, so when the service is started, that library will be loaded and executed (DLL Hijacking). Also, the source file must be inside a \Cisco\Cisco HostScan directory. The function checks for directory traversal (“.”) so it is not possible to escape from the destination directory. This command allows us to copy a file from any location, to a subdirectory in the %PROGRAMFILES(X86)%\Cisco\Cisco HostScan directory. Now, since there is no “execute program” command, it’s best to use the priv_file_copy command. priv_get_version_antimalware (opcode 0x44).priv_get_def_date_antimalware (opcode 0x43).priv_check_rtp_antimalware (opcode 0x42).priv_file_make_executable (opcode 0x22).But if you have selected the VPN Posture in the predeploy installer (or if your IT department did it in the webdeploy installer), then the service is present. If you only have the VPN client installed, then this service should not be present in your system. An application called HostScan gathers this information, so a Posture assessment requires HostScan to be installed on the host.
This module enables the VPN client to identify the operating system, antivirus, anti-spyware, and firewall software installed on the host.
That lead to an investigation by the Core Security team to find additional vulnerabilities on the program.Īfter some digging, we found there was a service listening in localhost on port 1023: The Security Service of An圜onnect Posture (ciscod.exe).Ĭisco An圜onnect Posture is an optional module that you can install along with An圜onnect Secure Mobility Client. The next day, he published a follow-up blogpost on github. On August 5th, ethical hacker and cybersecurity professional Antoine Goichot posted on twitter that three vulnerabilities he had discovered on Cisco An圜onnect (CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435) were now public.