back

Very Pwnable Network (VPN)

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:45:58
Language
English
Abstract
Virtual Pwn Networks (VPNs) add a network layer that should provide privacy and security. The privacy of VPNs clearly depends on their endpoint, thus, many companies run their own instances. We demonstrate that VPNs can be insecure nonetheless, as the users connecting to a company's VPN typically requires proprietary client software on their systems. These proprietary clients lack security, as we show based on the Cisco AnyConnect client for Linux and iOS.

This research starts with a weird series of crashes on Jiska's iPhone. Due to her ongoing paranoia, she decided to use a VPN, and because she had to trust her university's network anyway, she decided to use her university's Cisco VPN service. Obviously, this did not go well, and soon she had crash logs with memory accesses to invalid addresses, because these addresses were representing Strings?! These errors only occurred when she had bad network connectivity and no debugging enabled, so nobody was able to reproduce them. Either way, to start analyzing Cisco AnyConnect security, the more accessible Linux client was the first option. Gerbert did a detailed analysis and documented how this client works, since there was no documentation at all and users basically install a black box on their system. The application is by no means just a VPN client anymore. In addition to VPN connections, the application offers a number of special features like auto updating, file deployment and host assessment. The AnyConnect Linux client is even able to execute arbitrary scripts provided by the server, thus, the user needs to ultimately trust the AnyConnect provider. Even if this trust assumption holds true, the client is so complex that various attack vectors become possible. Gerbert found two vulnerabilities resulting in three attack scenarios. One of the issues was fixed without being assigned a CVE, the other one got CVE-2020-3556. Matthias continued with the iOS client, which is even harder to analyze than the closed-source Linux client. Since many Linux features are not available on iOS and the client has a completely different design, the previously found attacks do not apply. However, he will show the general architecture of this iOS Cisco AnyConnect Network Extension.

Talk ID
rc3-cwtv-52
Event:
rc3-hidden
Day
2
Room
Chaos-West TV
Start
6 p.m.
Duration
01:20:00
Track
CWTV
Type of
Talk 60min + 20min Q&A
Speaker
jiska
Gerbert
Matthias
Talk Slug & media link
rc3-channels-2020-52-very-pwnable-network-vpn-

Talk & Speaker speed statistics

Very rough underestimation:
133.4 wpm
777.0 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  
100.0% Checking done100.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
133.4 wpm
777.0 spm
vpnanyconnectnetworkvulnerabilitiesciscoscriptserverclientuserapplicationvpnagentdipctunnelversiontimeconnectionprofilebitsystemattackerscriptsfilesvpndownloaderlinuxvulnerabilitysecurityresponsemessagefilecrashextensionmessagesbinarythreequestionsiossoftwareinstallersessionideacodefunctionalityclientsrequestpackettalkfindhttpsbinarieslibraries