Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: Cisco NAC Appliance Agent Installation Bypass Vuln

from [Joe Feise] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability
Date: Tue, 29 Aug 2006 15:20:33 -0700 
Hello,

This is an answer to Cisco's response to our advisory entitled "NAC agent
installation bypass".

We appreciate Cisco's answer to our advisory and the confirmation of the
validity of our approach.

We like to address some of the points Eloy Paris from Cisco makes in
his answer.

Eloy Paris wrote on 08/26/06 13:31:
<...>


While it is possible to bypass the mandatory agent installation by
following the steps in the advisory, it should be noted that:

1) Users cannot bypass authentication using the approach described in
the advisory. Accordingly, unauthorized users (i.e., users with no
credentials or invalid credentials) will not be able to gain access to
the network using such approach.



Our advisory explicitly addressed bypassing the CCA Agent installation only.
Authentication is orthogonal to our concern, and is not affected by our 
approach.


2) If an administrator is concerned that users might attempt to
bypass CCA Agent installation by masquerading a Windows machine as a
non-Windows machine (e.g., Linux, MacOSX, etc.), the administrator can
define Network Scanning rules on the CCA Manager and use network scans
to perform additional OS-specific checks. This process should detect
users attempting to masquerade their Windows machines as non-Windows
machines.



Such network scanning can be rendered useless in a trivial manner by connecting
Windows machines to the network through a Linux-based router, such as the ones
produced by Cisco's subsidiary Linksys.


4) Customers can also manually install either the CCA Agent software
or the CCA Agent Installation stub (available in CCA version 4.0.0 and
above) on end-user Windows machines, instead of using the OS detection
routines. This will completely prevent the agent installation bypass
described in the advisory from Andreas Gal and Joachim Feise.



This is a possible approach, particularly in corporate settings where the
end-user machines are locked down.
However, it fails in settings where the end user machines are not under control
of the network administrators, such as university residential student
communities (it is our understanding that CCA is quite popular with network
administrators in these settings.)
Any end user with administrative rights could simply uninstall the CCA Agent
software.

Cheers,
-Joachim Joe Feise

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  JS ASP Faq Manager v1.10 sql injection, ali
Next by Date:  DUpoll 3.1 security alert, bozkurtserdar
Previous by Thread:  [Full-disclosure] Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability, Eloy Paris
Next by Thread:  Re: Cisco NAC Appliance Agent Installation Bypass Vulnerability, Udo Sprotte
Indexes:  [Date] [Thread] [Top] [All Lists]