OpenConnect 2.10 released

Antonio Borneo borneo.antonio at gmail.com
Mon Nov 9 11:35:49 EST 2009


Hi David,

the trojan downloads and parse a xml file that asks for silly tests like:
- check OS and version
- check Windows registry (existence, match value)
- check filesystem (existence of file and directory)
- run executable form local disk (in this case I do not know what the result is)
Then, it collect these and few other information and report them to
server in a html "post" reply.

Even if you run the trojan under wine, you still need to analyze "by
hand" the xml file to understand which registry to set, which file and
directory to create, and so on...
I do not see an automatic approach valid for every user on every installation
Of course, making in wine a full copy of the original PC should work,
but is not acceptable.

Practically your sysadmin has created some roles and have implemented
them on all the "official" PC. Any other PC becomes an alien.
This is the main scope of "Cisco Secure Desktop".

I personally don't like the approach through wine, even if I agree it
should work.
I foresee some possible alternative solutions, but none of them has
global validity.
At least such alternatives have less requirements in terms of memory,
so can address embedded and mobile clients.

1) In most cases the "post-ed" reply is a "constant" text.
If you have such text in a file, you could just reply providing the
file content and get access granted.
As a first "portable" implementation I would suggest the "constant" reply.
e.g. download the xml file, compute hash (to be sure it is not changed
and the reply is correct) and "post" the reply associated with that
hash.

Only issue is to get the "right" content to put in the file.
Of course, reply can be sniffed, but usually there is no need; if your
sysadmin forgot to disable logging, then reply is available in
Anyconnect log text files. Just extract from them.
In case logging is disabled, it is disabled through a field in the
same xml file; so you could think about proper data injection, forcing
openconnect to use a modified xml, and get the log. But maybe this is
more difficult than just sniffing a valid reply.

2) Another approach cold require user interaction. Parse the xml file
and prompt queries to the user, that could reply "watching" the
content of the authorized PC.
Maybe this is a good approach to "build" the file in 1)

At last, please notice that the trojan is quite a big file.
If you replace it with a local parser you do not need to download the
trojan anymore, making the login much faster and much more secure.

Best Regards,
Antonio

On Wed, Nov 4, 2009 at 6:08 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> I've just pushed OpenConnect 2.10 out.
>
> As well as fixing a few bugs, it also adds IPv6 and OpenSolaris support.
>
> We also now support the 'Cisco Secure Desktop' nonsense, where you are
> expected to download a trojan executable from the server and run it on
> the client to 'validate' your system. Your login only completes after
> the trojan has done its thing and contacted the server to give its
> approval.
>
> This only works if the server has a suitable trojan installed for Linux
> client; if it's configured only for Windows, then it won't work. And you
> have to be able to run Linux/i386 binaries too.
>
> We should probably work on running the Windows version of the trojan
> under Wine.
>
> --
> dwmw2



More information about the openconnect-devel mailing list