The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That’s a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.
More information is posted on Cisco’s site. I saw this pass by the Full-Disclosure list. Local priv escalations don’t get much easier…
It is even easier if you have the cisco client load before you log on to windows. Hit F1 after it starts, but before you log in, and a help window will appear after you log in to Windows. That help window runs with local admin privs. I believe this bug has been fixed in the current release, though.