lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <07fa01c67f09$0b269930$0100c0c0@aiglippo.com>
Date: Wed, 24 May 2006 15:07:00 +0700
From: "Memet Anwar" <mmta.gm@...il.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: Circumventing quarantine control in Windows 2003 and ISA 2004


I'm aware of Mark's and 3APA3A's points: anything accessible and executed 
locally can be circumvented. That's why I call such quarantine mechanism a 
design error. This maybe one of the reason of the complexity in TNC spec 
from TCG (https://www.trustedcomputinggroup.org/specs/TNC/).

Doing the grading at the server end, such as those offered by the agentless 
mode of StillSecure's product (thanks to Roger for the ref) does increases 
the bar, and I think should be considered for now until NAC/NAP matures 
enough.

For ISA/RRAS, one could write an rqs.exe replacement that initializes remote 
scanning tools (i.e. mbsacli.exe) against the quarantined machine's IP, and 
made the decision based on the result.

Cheers,
Memet

Side note to 3APA3A: admin access is not required to modify files from 
user's CM profile.

> ----- Original Message ----- 
> From: "Mark Senior" <senatorfrog@...il.com>
> To: "Memet Anwar" <mmta.gm@...il.com>
> Cc: <bugtraq@...urityfocus.com>
> Sent: Tuesday, May 23, 2006 11:24 PM
> Subject: Re: Circumventing quarantine control in Windows 2003 and ISA 2004
>

> Any such quarantine control can be circumvented.
>
> the Checkpoint VPN has a similar feature, which can be enabled if you
> pay a pound of flesh per annum.  It can be circumvented in a similar
> way - you have to replace a Checkpoint DLL with a custom compiled one,
> such that the local checks will always return true.  I think the
> specifics were posted either here or to FD a while ago.
>
> There is just no way of verifying these things reliably.
>
> You can raise the bar somewhat by doing the grading at the server end,
> rather than telling the client the passing answers, but an attacker
> who can figure out a reasonable set of answers will always win.
>
> Cheers
> Mark




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ