I installed the Cisco VPN version 5 on my laptop today, and I noticed what looks like a privilege escalation vulnerability. This doesn’t seem to be the vulnerability Cisco discusses here relating to the dialer portion of the program. This is a much more trivial thing.
The first thing I did was check another system. On a XPsp2 system with version 4.6 installed the Interactive user has modify permissions. As we all know, the Interactive user is a special user account representing any user who is logged on interactively. In other words, this is someone who has the Log on Locally privilege and has been logged on locally. So basically anyone who can log onto my computer (e.g. any other employee). At that point they have two choices. Do they want to wait for a system reboot and get localsystem rights, or do they want to wait for someone with local admin rights to try to use the VPN.
Surely this was fixed in version 5, I thought. No, in version 5, Interactive has full control rights.
Posts tagged ‘Cisco’
Cisco VPN Privilege Escalation
So much for the self defending network
Bail out now if you don’t want spoilers from this weeks 24….
In this weeks 24, Nadia’s computer is compromised from visiting a website belonging to an insurgant. Inexplicably there is also a hardware device found in her computer.
CTU had previously been protected by Cisco’s self-defending network.
RSA Conference Wireless
Over at vnunet, Tom Sanders writes about the RSA conference.
More than half of the computers used by security experts attending the RSA Conference in San Francisco this week lack the proper protection and may have been compromised, according to wireless security firm AirDefense.
The company scanned all wireless traffic on the first day of the conference and found a total of 623 Wi-Fi enabled notebooks and mobile phones.
Some 56 percent of these devices were configured automatically to log-on to networks with common names such as ‘Linksys’ or ‘T-Mobile’, a feature known as an open access wireless account.
So the first first paragraph is an improper summary of the statistics. “More than half of the computers used by security experts” weren’t misconfigured. It was half of the computers with wireless enabled.
So the vendor has interesting statistics and I liked the article as a whole but for me it almost got overshadowed by a misleading opening paragraph.
It is extremely important to not connect to unencrypted wifi and then leave those profiles enabled when you go anywhere else. Further, Evil twin access points do occur. Your computer leaks all sorts of passwords. Its not just when you’re browsing. The second your network connection comes on line, your mail client, IM clent and RSS reader may be logging into things in clear text. Its a danger you need to be aware of, and keep your clients from launching and sending passwords, until you have established a secure encrypted tunnel, whether is an ‘always tunnel’ vpn back to work, or a ssh tunnel back to your home.
The Day the Internet Traffic Stood Still
On Thursday we rolled out the Blue Coat web filter to the company. It was a bit more sudden than I had planned. I had planned to roll out slowly over a week and a half (still kind of quick), with the goal to be done by January 28th. Our Websense license expired on January 31st and I wanted to be done before then.
Unfortunately a company board meeting interfered in my plans as we were not allowed to roll out anything while they were in town. I was told that after license expiration, Websense would continue to filter, but not get any new updates. This was acceptable to the Director, so we pushed back the Blue Coat with a new goal of February 5th.
As it turned out at 11 pm on January 31st Websense stopped filtering. So on the morning of the 1st we rolled out Blue Coat to the entire company and disabled the Websense.
That afternoon, I received a report about slow FTP to our DMZ. I did some testing and the speed seemed reasonable. However, that wasn’t the end of it.
The next morning before I got to work, I had a voicemail about other people having trouble opening Flash and downloading large pdf files from the DMZ. It came to a head when another Director in our company emailed our Director claiming it was impossible to get any work done. The Director wanted to turn it off all together, but I felt that this would not provide a good troubleshooting environment. We had used Blue Coat within our department with no reported problems of this nature, so we needed to have the systems under close to a full load. A compromise was reached by removing the subnets of the complainers from filtering.
The network guys had already opened up cases with Cisco and Blue Coat. Everything appeared to be normal. The configuration was acceptable to the support people. The CPU and RAM seemed fine.
I checked the antivirus appliance to make sure it wasn’t running out of threads, but everything was well within spec there. Next, I checked the Blue Coat forums to see what other people had to say about this problem.
A quick check found that the most likely cause was mismatched speed or duplex issues on the switch. I called one of the network guys as 1:45 to ask him to check into that. I kept searching to get an idea of other things to try (and also establish some speed test baselines). A speed test reporting downloads of 800 kbps. Which is ludicrous when we have a 25 meg pipe.
We checked into the switch and found it wasn’t quite as intelligent as we had expected. We didn’t have the capability to hard code the connections to a specific speed and duplex value. We did however see the collision light was occurring on the connection to the core router. I should mention the switch is 10/100/1000 and the router interface is 100. We checked the router and saw the same errors there. The connection was already hardcoded to 100 Full so the network guys changed that to auto. That’s the opposite of what you normally do when you have this problem. The port negotiated 100 Full and the errors went away.
I performed a few speed tests and found that web requests were benchmarked 10-100 times faster. The speed test now reported something crazy like 80 meg down (due to the antivirus or caching I suspect). But it is at least and apples to apples comparison with the 800 kb test.
So all is solved. The problem was not with the Blue Coat, but I did take a few body blows and get a black eye.
Cisco’s Telepresence on Vanished
I’ve been noticing the Cisco Telepresence commercials lately and been kind of surprised. That is a really high end CEO type of item from what I’ve heard. Its insanely nice, but not the kind of thing a TV junky would be buying. I dont quite understand why Cisco is spending so much money on product placement to become a household name.
In a way I do, I LOVE seeing the Cisco IP phone that I have on my desk in TV shows. I loved it when Cisco’s self-defending network showed up on 24. But this Telepresence item costs $$$.
Anyway, if you missed it, Cisco has the show clip posted www.cisco.com/web/solutions/telepresence/fox/
Off topic: VW Safe Happens
For a brief moment, I thought to myself, what if software security companies tried to sell software with the same shocking tactics as the Safe Happens commercial series from VW. Then I came to my senses. These companies already do sell based on the idea that your data is toast without them. What is shocking in a car commercial is all too common from security vendors.
In the VW commerical, people get in to a jaring physical accident and in the security commercials people are threatened with losing all their data, the internet melting down, SCADA and a new Y2K.
Here’s a clip from 24 where Cisco saves the day. (quicktime required)
JAVA updates
There is some interesting info in the latest updates to the ISC diary entry on SUN JAVA.\
In the original entry the writer notes that the latest version of SUN JAVA attempts to solve the problem where not only does installing an updated version of JAVA not remove earlier versions, the earlier versions can be specifically requested by the bad guys. That’s right, its like installing a patch, but letting the bad guy ignore it if they choose to. That problem is rather old, but SUN is addressing it by having the latest version of JAVA prompt the user if an older, potentially vulnerable version is requested.
So why not just remove the earlier vulnerable version you might ask. Many bad web applications specifically require a bad version of JAVA, so you cant uninstall the bad version if you want to use that website. You are forced to wait for the original developer to provide an update. Ciscoworks VMS is one example of such a site.
So here is what is new, a reader of the ISC wrote in to suggest that you create a CLSID pointing requests for the older vulnerable version to the newer version (stay within the same 1.42, 1.5 family). It may not work for every site, but its worth a shot. I thought that was the best tip so far on the ISC site this month and it wasn’t even part of their tip of the day segment. 
Cisco 871 router
I’ve been considering purchasing a Cisco 871 router for a while. It looks like it has the ability to do inbound VPNs and also IDS. Cost has been the main thing holding me back. The second consideration is that I have a wireless mesh implemented using Linksys and third party firmware. I’m not sure how this router would fit in. Recently, I’ve been thinking about setting up a system to run SNORT and placing it on a hub between the cable modem and my router. By doing that I gain the IDS fun that I want, and dont have to worry about screwing up my existing router implementation.
George Ou blogged about the 871 today. I didn’t see too much of interest in what he wrote today, but I’d like to see his future articles as he writes more about its general use and less about its feature list.
I think the 871 is a good SOHO device for when a “hacked” Linksys would not be acceptable.
Cisco VPN Client Privilege Escalation
The Cisco VPN Client for Windows has a privilege escalation vulnerability that allows a regular user to gain system right.
http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml
Makes you wonder, if you’ve “locked down” your user permissions, how many of the really dangerous ones haven’t already promoted themselves to admin through privilege escalation vulnerabilities like this.
Check those switches
Yesterday, I looked into why some patches hadn’t been installed on a system. Using SMS web reports, I could see that the system had a inventory that day. This indicated that the client was reporting in correctly and that my report that it was missing patches was correct. Next, web reports indicated to me that each advertisement to that system was waiting except one that was running. I checked with the head sms guy here, and found that if that one advertisement is running it will prevent the other items from running.
What I found was the Cisco VMO Client package was set with a command line [..]\viewmail.msi /quiet /norestart. The client in question was running Windows Installer 2.0 which I believe doesn’t know about those switches. I asked the guy responsible for that package to changed it to /qn reboot=reallysurpress which should work on both windows installer 2 and 3.
You’d expect bad switches to cause the advertisement to exit rather than to continue to run. Hopefully this will cause it to run to completion.
