- -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- - +--------------------- -- - + advisory information +------------------ -- - author: methodic release date: 05/28/2002 homepage: http://sec.angrypacket.com advisory id: 0x0002 +-------------------- -- - + product information +----------------- -- - software: Cisco vpnclient for Linux vendor: Cisco Systems homepage: http://www.cisco.com description: "Cisco VPN client allows a user to connect to a Cisco VPN device using the Linux operating system." +---------------------- -- - + vulnerability details +------------------- -- - problem: Local root affected: vpnclient-linux-3.5.1.Rel-k9 and perhaps earlier versions explaination: Any local user can gain root privileges via a buffer overflow in the 'connect' argument when a long profile name (520 bytes to own the eip) is specified and the executable is suid root. Cisco's install script installs vpnclient suid root by default, although it does advise administrators about the permissions set on vpnclient, and that they may wish to change them. risk: High status: Vendor was notified, and a fix is available exploit: http://sec.angrypacket.com/exploits/vpnKILLient.c fix: Upgrade your Cisco vpnclient software, or chmod -s vpnclient +-------- -- - + credits +----- -- - Bug was found by methodic of AngryPacket security group. Additional help by: dmuz and vegac of AngryPacket security group, and shok of w00w00. +----------- -- - + disclaimer +-------- -- - The contents of this advisory are Copyright (c) 2002 AngryPacket Security, and may be distributed freely provided that no fee is charged for distribution and that proper credit is given. As such, AngryPacket Security group, collectively or individually, shall not be held liable or responsible for the misuse of any information contained herein. - -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- -