Open CuriousReviewerOfStuff opened 1 year ago
From the README.md
**When a user connect to vpn,** vpndownloader.exe process is started in background and it will create directory in c:\windows\temp with default permissions in following format: <random numbers>.tmp After creating this directory vpndownloader.exe will check if that directory is empty and if its not it will delete all files/directories in there. This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.
Yes, the exploit relies on vpndownloader.exe to be processed via connection.
Thank you @ThisGuyNeedsABeer! Do you know if it must be a successful authentication though? Or is just the act of connecting to an anyconnect VPN appliance enough to trigger the vpndownloader.exe process to execute?
Does this actually require a successful authentication to a Cisco AnyConnect VPN appliance, or does it at least require a connection to a Cisco AnyConnect VPN appliance (whether you've authenticated or not). In other words, if the threat actor just installs an unconfigured client on the endpoint can it be used to elevate privileges?
Thanks!