lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.62.0608251720180.9882@sam.ics.uci.edu>
Date: Fri, 25 Aug 2006 17:23:28 -0700 (PDT)
From: Andreas Gal <gal@....edu>
To: bugtraq@...urityfocus.com
Subject: Cisco NAC Appliance Agent Installation Bypass Vulnerability

Description:
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed 
Network Admission Control (NAC) product that uses the network 
infrastructure to enforce security policy compliance on all devices 
seeking to access network computing resources. With NAC Appliance, network 
administrators can authenticate, authorize, evaluate, and remediate wired, 
wireless, and remote users and their machines prior to network access. It 
identifies whether networked devices such as laptops, IP phones, or game 
consoles are compliant with your network's security policies and repairs 
any vulnerabilities before permitting access to the network.

Vendor site:
http://www.cisco.com/en/US/products/ps6128/

Affected versions:
All current (<= 3.6.4.1 at the time of the release)

Discovery 
Date: 2006-08-15

Report Date:
2006-08-20 (vendor), 2006-08-25 (public)

Severity:
Medium

Remote:
Yes

Related previous reports:
http://www.securityfocus.com/archive/1/408603/30/0/threaded

Discovered by:
Andreas Gal (http://www.andreasgal.com/)
Joachim Feise (http://www.feise.com/)

Vulnerability:
Previous versions of the software allowed users to bypass the "mandatory" 
installation of the Clean Access Agent by changing the browser user-agent 
string. With version 3.6.0, Cisco added additional detection mechanisms 
such as TCP fingerprinting and JavaScript OS detection. By changing the 
default parameters of the Windows TCP/IP stack and using a custom HTTPS 
client (instead of a browser) the user can still connect to the network 
without running any host-based checks. Authentication and remote checks 
are not affected.

Proof-of-concept implementation:
http://kevin.sf.net/howto.html
http://kevin.sf.net/download/kevin.exe
http://kevin.sf.net/download/kevin.conf
http://kevin.cvs.sourceforge.net/kevin/

Acknowledgements:
The registry settings to masquerade the Windows TCP/IP stack were derived 
from sec_cloak written by Craig Heffner.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ