From: Daniel Lenski Date: Mon, 17 Dec 2018 00:38:40 +0000 (-0800) Subject: move trojans (csd-post.sh, csd-wrapper.sh, hipreport.sh, tncc-wrapper.py) to trojans... X-Git-Tag: v8.00~13^2~1 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f57a5d7700bae54bc8a2c0c35f71d3fd3340354b;p=users%2Fdwmw2%2Fopenconnect.git move trojans (csd-post.sh, csd-wrapper.sh, hipreport.sh, tncc-wrapper.py) to trojans/ subdirectory and expand and clarify their documentation Signed-off-by: Daniel Lenski --- diff --git a/Makefile.am b/Makefile.am index 522725eb..1b0fc40d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -130,7 +130,7 @@ pkgconfig_DATA = openconnect.pc EXTRA_DIST = version.sh README.TESTS COPYING.LGPL $(lib_srcs_openssl) $(lib_srcs_gnutls) EXTRA_DIST += $(shell cd "$(top_srcdir)" && \ - git ls-tree HEAD -r --name-only -- android/ java/ 2>/dev/null) + git ls-tree HEAD -r --name-only -- android/ java/ trojans/ 2>/dev/null) DISTCLEANFILES = $(pkgconfig_DATA) diff --git a/csd-post.sh b/trojans/csd-post.sh similarity index 100% rename from csd-post.sh rename to trojans/csd-post.sh diff --git a/csd-wrapper.sh b/trojans/csd-wrapper.sh similarity index 100% rename from csd-wrapper.sh rename to trojans/csd-wrapper.sh diff --git a/hipreport.sh b/trojans/hipreport.sh similarity index 100% rename from hipreport.sh rename to trojans/hipreport.sh diff --git a/tncc-wrapper.py b/trojans/tncc-wrapper.py similarity index 100% rename from tncc-wrapper.py rename to trojans/tncc-wrapper.py diff --git a/www/Makefile.am b/www/Makefile.am index d3ab5461..680c6c2a 100644 --- a/www/Makefile.am +++ b/www/Makefile.am @@ -3,7 +3,7 @@ SUBDIRS = styles inc images CONV = "$(srcdir)/html.py" -FTR_PAGES = csd.html charset.html token.html pkcs11.html tpm.html features.html gui.html nonroot.html hip.html +FTR_PAGES = csd.html charset.html token.html pkcs11.html tpm.html features.html gui.html nonroot.html hip.html tncc.html START_PAGES = building.html connecting.html manual.html vpnc-script.html INDEX_PAGES = changelog.html download.html index.html packages.html platforms.html licence.html PROTO_PAGES = anyconnect.html juniper.html globalprotect.html diff --git a/www/anyconnect.xml b/www/anyconnect.xml index fd7e90ac..d59f4d7d 100644 --- a/www/anyconnect.xml +++ b/www/anyconnect.xml @@ -16,9 +16,16 @@ HTTPS and DTLS protocols. You connect to the secure web server, authenticate using certificates and/or arbitrary web forms, and you are rewarded with a -standard HTTP cookie.

+standard HTTP cookie named webvpn.

-

You then use this cookie in an HTTP CONNECT request, and can +

Some Cisco servers require you to execute a 'Cisco Secure Desktop' +trojan binary (intended for security scanning of the client system) +before authentication can complete; see the CSD +page for information on how to comply with this requirement, or +spoof it, with OpenConnect.

+ +

After authentication, you use the webvpn cookie +in an HTTP CONNECT request, and can then pass traffic over that connection. IP addresses and routing information are passed back and forth in the headers of that CONNECT request.

diff --git a/www/csd.xml b/www/csd.xml index c9cb5733..b551a9ed 100644 --- a/www/csd.xml +++ b/www/csd.xml @@ -10,6 +10,13 @@

Cisco Secure Desktop

+

The CSD ('Cisco Secure Desktop') mechanism is a security scanner +for the Cisco AnyConnect VPNs, in the +same vein as Juniper's Host Checker (tncc.jar) +and GlobalProtect's HIP.

+ +

Background

+

The 'Cisco Secure Desktop' is a bit of a misnomer — it works by downloading a trojan binary from the server and running it on your client machine to perform some kind of 'verification' and post its @@ -27,5 +34,33 @@ option is used to handle the script in a 'safe' manner.

This support currently only works when the server has a Linux binary installed, and only when that Linux binary runs on the client machine.

+

CSD support in OpenConnect

+ +

OpenConnect supports running the CSD binary, or spoofing its +behaviour, by passing the --csd-wrapper=SCRIPT argument +with a shell script.

+ +

The OpenConnect distribution includes two alternative +scripts to support the execution or spoofing of the CSD behaviour, in +the trojans/ subdirectory:

+ + + diff --git a/www/hip.xml b/www/hip.xml index 0009c320..cdeed629 100644 --- a/www/hip.xml +++ b/www/hip.xml @@ -2,7 +2,7 @@ - + @@ -27,9 +27,9 @@ the official GlobalProtect VPN client software), which generates an
  1. Client authenticates and fetches the tunnel configuration from the GlobalProtect gateway.
  2. Client runs HIP report generator and computes MD5 digest of report.
    3. -
  3. Client checks whether a HIP report is required (/ssl-vpn/hipreportcheck.esp), including its MD5 digest and gateway-assigned IP address in the report.
    4. +
  4. Client checks whether a HIP report is required (/ssl-vpn/hipreportcheck.esp), including its MD5 digest and gateway-assigned IP address in the report.
  5. Gateway responds whether or not a HIP report is required (normally, it doesn't require a new one if a report with the same MD5 digest and same IP address have been submitted recently).
    6. -
  6. Client uploads the complete HIP report to (/ssl-vpn/hipreport.esp).
    7. +
  7. Client uploads the complete HIP report to (/ssl-vpn/hipreport.esp).
  8. Server confirms acceptance of HIP report with a success message.
@@ -48,9 +48,9 @@ complete. However, two things can go wrong:

HIP report contents were not approved. -

HIP support in openconnect

+

HIP support in OpenConnect

-

OpenConnect supports HIP report generation and submission by passing the --csd-wrapper=SCRIPT argument with a shell script to generate a HIP report in the format expected by the +

OpenConnect supports HIP report generation and submission by passing the --csd-wrapper=SCRIPT argument with a shell script to generate a HIP report in the format expected by the server. This shell script must output the HIP report to standard output and exit successfully (status code 0). The HIP script is called with the following command-line arguments:

@@ -72,17 +72,17 @@ server. This shell script must output the HIP report to standard output and exit
 
 
Generating/spoofing a HIP report

 
-
An example hipreport.sh script is included in the
-openconnect distribution.

+
An example hipreport.sh script is included in the
+OpenConnect distribution, in the trojans/ subdirectory.

 
 
Depending on how picky your GlobalProtect
 VPN is, it may be necessary to spoof or alter some of the parameters
 of the HIP report to match the output of one of the official
 clients. In order to capture the contents of the official Windows
 client's HIP reports, enable the highest logging level for the "PanGPS
-Service", and then sift through the giant PanGPS.log file
+Service", and then sift through the giant PanGPS.log file
 (which should be in the same directory as the executables, normally
-c:\Program Files\PaloAlto Networks\GlobalProtect) to find
+c:\Program Files\PaloAlto Networks\GlobalProtect) to find
 the HIP report submission.

 
 
diff --git a/www/juniper.xml b/www/juniper.xml
index 82f31061..7ded69ca 100644
--- a/www/juniper.xml
+++ b/www/juniper.xml
@@ -65,23 +65,13 @@ pass the cookie to OpenConnect with its -C option, for example:

-

Host Checker (tncc.jar)

 +

Host Checker (tncc.jar)

Many sites require a Java applet to run certain tests as a precondition -of authentication. This works by sending a DSPREAUTH cookie -to the client which is attempting to authenticate, and the Java code -in tncc.jar then runs and communicates with the server, handing -back a new value for the DSPREAUTH cookie to be used when -autnentication continues.

- -

OpenConnect supports this with a little assistance. There is a python -script tncc-wrapper.py in the git repository which can be used -along with the tncc-preload.so from -this repository. -It may also be necessary to pass a Mozilla-compatible user agent string: -

-  ./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=./tncc-wrapper.py vpn.example.com
-
+of authentication (similar to CSD +for AnyConnect VPNs and HIP for GlobalProtect VPNs). +See the Host Checker / TNCC page for how to configure OpenConnect +to wrap and run this applet.

Connectivity

diff --git a/www/menu2-features.xml b/www/menu2-features.xml index 112bf794..ff004eb6 100644 --- a/www/menu2-features.xml +++ b/www/menu2-features.xml @@ -2,11 +2,13 @@ - + + + diff --git a/www/tncc.xml b/www/tncc.xml new file mode 100644 index 00000000..4aa91ae4 --- /dev/null +++ b/www/tncc.xml @@ -0,0 +1,55 @@ + + + + + + + + + + +

Juniper Host Checker (tncc.jar)

+ +

The Host Checker mechanism is a security scanner for the Juniper VPNs, in the same vein as Cisco's CSD and GlobalProtect's +HIP.

+ +

Background

+ +

Many sites require a Java applet to run certain tests as a precondition +of authentication. This works by sending a DSPREAUTH cookie +to the client which is attempting to authenticate, and the Java code +in tncc.jar then runs and communicates with the server, handing +back a new value for the DSPREAUTH cookie to be used when +autnentication continues.

+ +

This Java applet is a black-box binary provided by a server outside +of the client's control, and therefore has similar security concerns to Cisco's CSD +trojan.

+ +

TNCC support in OpenConnect

+ +

OpenConnect supports running the tncc.jar binary with a little assistance. A Python wrapper +script, tncc-wrapper.py, is provided in the trojans/ subdirectory of the +OpenConnect distribution. It can be used +along with the tncc-preload.so from +this repository. +It may also be necessary to pass a Mozilla-compatible user agent string: +

+  ./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=trojans/tncc-wrapper.py vpn.example.com
+
+Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed +with the permissions of a low-privilege user (e.g. --csd-user=nobody). +

+ +

Alternatively, the juniper-vpn-py project provides a +tncc.py which emulates the behaviour of the tncc.jar binary, rather than actually +executing it. Because this script does not actually execute a server-provided binary, security concerns are greatly +alleviated. However, this alternative script may require customization to work with VPNs that have modified +the behaviour of their Host Checker binaries in some way. +

+ + + +