CVE-2015-6306

Cisco AnyConnect Secure Mobility Client 4.1(8) - Privilege Escalation via Crafted Installation File

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6306. PoCs published by Yorick Koster.

AI-analyzed exploit summary This exploit leverages a privilege escalation vulnerability in Cisco AnyConnect by crafting a malicious DMG file and using a local socket to execute arbitrary commands with elevated privileges. The PoC writes a DMG to disk, communicates with a local service on port 29754, and executes a command to gain root access.

Description

Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does not verify pathnames before installation actions, which allows local users to obtain root privileges via a crafted installation file, aka Bug ID CSCuv11947.

Exploits (1)

exploitdb WORKING POC

by Yorick Koster · clocalosx

https://www.exploit-db.com/exploits/38303

View Code ZIP pw:eip

This exploit leverages a privilege escalation vulnerability in Cisco AnyConnect by crafting a malicious DMG file and using a local socket to execute arbitrary commands with elevated privileges. The PoC writes a DMG to disk, communicates with a local service on port 29754, and executes a command to gain root access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Cisco AnyConnect Secure Mobility Client (versions prior to 4.1.07035)

No auth needed

Prerequisites: Local access to a vulnerable Cisco AnyConnect installation · Ability to write files to /private/tmp

MITRE ATT&CK