openconnect on the Nokia N9

Markus Weiss Markus.Weiss at unibas.ch
Thu Nov 3 10:26:26 EDT 2011


Hello,

and thanks for your advice.
openconnect was running as root on the N9, and it works fine on an i386 
opensuse linux installation.
I will see if I can find out what the troian is doing, might take some time 
however, as I am doing this in my sparetime and I'm not a programmer to begin 
with.
Can you give me a hint, how to watch the network traffic between the troian 
and the vpn server ?

Thanks,

	Markus 



On Thursday 03 November 2011 13.35:24 you wrote:
> On Thu, 2011-11-03 at 12:25 +0100, Markus Weiss wrote:
> > So it looks like openconnect cannot change the user.
> 
> Hm, interesting. Is it running as root to start with? I'm not sure why
> it wouldn't be able to setuid() in that case.
> 
> And if it was already running as 'user' then it would even have tried to
> change; it would skip the setuid() call.
> 
> > It looks like openconnect cannot change the user the usual way on
> > Meego/Harmattan. If i set the csd-user to root, the vpn server sends a
> > csd troian horse for i386 architecture, that the N9 cannot run.
> > How can I deal with this ? Do I need a wrapper script ?
> > Can anyone advise me, how such a wrapper would have to look like ?
> 
> Your diagnosis seems correct — it's giving you an i386-specific
> 'trojan'. The first thing to check is that this actually works OK on a
> desktop Linux box.
> 
> Then you have two options. One is to install qemu-i386 and some i386
> libraries, so you can actually run i386 ELF executables on the N9.
> That's quite a lot of overhead, but might be relatively simple to set
> up.
> 
> The better option is probably to work out what the trojan is doing, and
> write a 'wrapper' of your own which emulates it. A year or two ago,
> there was some discussion on the mailing list about what the CSD trojan
> does; ISTR it usually downloads an XML file which describes a bunch of
> tests for it to run, and its result is a simple text string POSTed back
> to the 'csd_starturl' location.
> 
> You could probably get away with using a 'wrapper' which just uses curl
> to post the expected answer to the appropriate URL, having watched it on
> a desktop box to see what it's doing.




More information about the openconnect-devel mailing list