Painless, Distro-Agnostic Cisco Webex on Linux

For true cross-platform web conferencing, Cisco Webex is the only way to go. GotoMeeting only recently added OSX support, and Linux, forget about it?

My experience on getting it work with the built-in components on my Thinkpad... forget about it!

Ubuntu 8.0.4 worked sporadically and and on 8.10 Firefox crashed. Hard.

I Googled a bit and didn't find any quick workarounds, so I decided to try it the old fashioned way. So here is what I came up with to get it working reliably. I assume this works on other distros as well.

(All of this assumes you create another user for just webex so you don't corrupt your local .mozilla and .adobe files etc.)

Download Components

1. Get the tarball of Adobe Flash (10.0.22.87 tested)
2. Download Firefox 3.x (3.0.8 tested)
3. Download JRE .bin installer (jre6u13-linux-i586.bin used)
4. Create a webex directory and move all of these to it
5. Uncompress them there

Configuration

1. Remove ~/.mozilla and ~/.adobe
2. Run ~/webex-local/firefox/firefox then quit
3. Run the ./flashplayer-installer script
4. Run the java installer binary
5. Create the symlink for the java plugin within $HOME

ln -s ../../webex-local/jre1.6.0_13/plugin/i386/ns7/libjavaplugin_oji.so

Testing Webex

1. Run your local firefox
2. Confirm you can execute java applets by visiting http://java.sun.com/applets/jdk/1.4/demo/applets/Clock/example1.html
3. Click on the test meeting http://support.webex.com/support/support-overview.html

An Oldie But a Goodie

Yeah, back during the 01 layoffs at Cisco (or was it afterwards, during one of the never-ending reorgs can't recall) I had a DIVX of Office Space that I would watch while I worked to remain productive and we'd take lots of orbits around the parking lot and watch for this old guy with a beard down to his knees that would get off his shift at 3:30 at the Tyco fab next door and walk to his Corvette. Happy days!



Time to leave the SBUX and get to work...

ASA5505 SSLVPN Port Forwarding

So as I've been chronicling over on @frednecksec I've been pleasantly surprised with the new ASA5505 I got for my classroom network. Although I'm looking forward to replacing iptables the main reason for the purchase was the WebVpn. In particular the ability to do port forwarding. Yes this is just like SSH local port forwarding.

Here is config snippet for ASA 7.2(4) to allow you to get port forwarding working.

Enable WebVPN

webvpn                                                                   
 enable outside

Actually if you stop here you would be able to do URL redirection and get to web servers behind the ASA, although this doesn't show up anymore now that port forwarding is setup.

 port-forward SSH 2223 192.168.55.100 ssh     

group-policy first internal                                                  
group-policy first attributes
 vpn-tunnel-protocol webvpn
 webvpn                                                                      
  functions port-forward auto-download                                       
  port-forward value SSH

Some gotchas here. "port-forward" and "auto-download" have to be on the same line together. It wasn't immediately obvious to me that I had to do the "port-forward value" line. My general approach for Cisco CLI work is to just brute force it to find the minimal config. But this was the key thing I ran across. Unless you had this line, the session won't show up in the UI (see above) although the applet will download.

The steps below are pretty straightforward once you have the group-policy created (above)

username vpnuser password ... encrypted                         
username vpnuser attributes                                                  
 vpn-group-policy first                                                      
tunnel-group test type webvpn                                                
tunnel-group test general-attributes                                         
 default-group-policy first

This works on Ubuntu 8.10 (Java6) and Firefox 3.x, OSX 10.4 with Safari 3, and Windows XPSP3 both Firefox 3.x and IE (who knows what versions).

The Cisco McCain Connection

Network World Has an Interesting exploration on all the connections between Cisco and the John McCain campaign. Liberals often worry about the influence of corporations on policy-making when the reality is that policy-making are often directly done by the private sector. I saw this first-hand with groups such as the NIAC. Now obviously one could make a case that the private sector should be making policy because "the government," (never mind the revolving door between private sector and public sector) simply does not have the expertise on many technical issues.

Perhaps the real meaning of the public private partnership that is so necessary for critical infrastructure protection is that the government has a hands-off view of the industry and creates policy. But perhaps I'm being too cynical?

Hat Tip :fergdawg on the Cisco Alumni mailing.

How is CIP different from "Joe the Plumber" security?

When I was a member of CIAG Research, one of the problems that I had to grapple with was distinguishing normal "network security" or "Internet security" from "Critical Infrastructure Protection."

Given that our [dangerously vague] charter was to conduct and fund research that would improve the security of the critical infrastructure[s] we engaged in a lot of soul searching [and heated discussion] about which projects were appropriate? Was web application security within the domain of CI? Probably not, but maybe? How about routing protocol security. BGP security, definitely. RIP, not so much. How about L2/L3 Enterprise best practices? Maybe? Certainly, if they applied were applied to manufacturing and control system networks. Adding SCADA protocol awareness to firewalls, definitely.

So through these are the mud-colored glasses that I read Perry Pederson's inaugural post at Wurldtech.

So on first blush, and after suffering through a number of Control Systems standards efforts that spent too much time focusing on whether attackers were terrorists, disgruntled employees, or script kiddies, I was sympathetic to his lack of concern for the identity or motivation of threat agents:

So, when it comes to protecting these critical infrastructures, the motivation of the attackers is of less value than the response. In other words, it really does not matter if it was a terrorist, an animal rights group, or someone protecting the environment from us humans.

But I would argue that this is equally true for "Joe the Plumber" security as well. You know, the dirty jobs that small and large companies have to deal with: patching, logging, vulnerability management, application security, incident response, etc. Unless they translate into concrete defensive actions (blocking specific target sources or enabling monitoring for specific toolsets) it is irrelevant who or why you are being attacked. Besides, "Joe the Plumber" does not have access to the sort of [classified] threat intelligence that would make this relevant.

On the other hand (particularly in this season of government intervention to secure the private sector ) perhaps motivation and identity is more important to Critical Infrastructure Protection. If the largely privately-owned critical infrastructure is of so critical to the national interest and there is actionable intelligence to intervene through some national-level asset (electronic, physical, military, etc.) in order to obviate the need for a response within the private sector. But given that critical infrastructure depends on the public private partnership (and this should not just be a cliche on the part on government agencies to let Industry and public infrastructure owners to do whatever they hell they want without fear of regulation) the private sector should focus on the response but the public agencies must focus on incident prevention -- and this requires actionable intelligence on threat identity, capabilities, and intentions. Perry also discusses this need for prevention however I think "information sharing" is another one of those critical infrastructure cliches that executives like to talk about (and have been talking about since PDD-63) but sharing information is a means and not an end to itself. Besides information sharing across large enterprise IT organizations (each which is trying to cover it's ass in response to an incident or outage) is probably no different than the sort of challenges in sharing information between the private and public sector or within government agencies in response (or prior to) incidents.

Based on my experience in the first Cyberstorm exercise (and not just because I've heard directors and VP go on and on about them ad nauseum) I can't help but be a little cynical about efforts to that focus on "information sharing," incident response, "situational awareness", and "connecting the dots." Not only are these problems not unique to critical infrastructure but more often that not "raising awareness" and "improving communication" often are a cheap substitute for action.

Uck: Could have used this 3 years ago

I can't honestly say I was as productive as I should of been my last year at Cisco, but one of the things I did accomplish was porting our Knoppix based Security Testing LiveCD to Ubuntu. So I became intimately aware of the process of building LiveCDs and how painful the process can be. I did write some scripts to automate the process but Ubuntu Customization Kit would have been very useful. At least based on the description. Haven't tried it yet.

L2 Bridge ACLs on Cisco 800 Series ISRs

So it's obvious from this blog I was never a CCIE.

Hell, I barely passed the CCNA 2.0 exam many years ago (not because my IOS skills were that lacking, it was a bad exam, I tell you)

So had a hell of a time finding the extremely simple way to filter MAC addresses on a bridge interface, such as what I'm using on my 851 at home on my kids subnet. Well it was just my kids subnet until the damn Verizons Westel started acting up so bad with WPA with my Linux boxes lately.


I'm too lazy to do WEP (although it does work) and I've never had any luck with WPA under IOS. And yeah the first thing I did was wipe the web interface from flash.

So I figured how hard could it be. But I couldn't find it anywhere until I ran across a CCIE study guide on bridge filtering. Duh.

851w#sh access-lists 700                                                        
Bridge address access list 700                                                  
    permit 0012.f0xx.xxxx   0000.0000.0000 (23 matches)                         
    permit 001d.7exx.xxxx   0000.0000.0000 (38 matches)                         
    permit 0013.e8xx.xxxx   0000.0000.0000 (1930 matches)                       
    permit 0013.5fxx.xxxx   0000.0000.0000   

I learned the hard way there is an implicit deny at the end. And with the 700 series ACLs you don't need to have the 0000.0000.0000

So then you just add "input-address-list 700" to your bridge group and viola!

interface Dot11Radio0.1                                                         
 encapsulation dot1Q 1 native                                                   
 bridge-group 1                                                                 
 bridge-group 1 subscriber-loop-control                                         
 bridge-group 1 input-address-list 700                                          
 bridge-group 1 spanning-disabled                                               
 bridge-group 1 block-unknown-source                                            
 no bridge-group 1 source-learning                                              
 no bridge-group 1 unicast-flooding    

Completely secure, because like the OpenBSD folks I don't rely on security at Layer 2 or 3. It's all in the OS and applications.

And I didn't try it (enough for one night, my reading glasses are already on) but I'm guessing I could do masks as well so I could filter out Apple or Dell MAC addresses and only allow Intel Wireless client adapters.

Now that would be really secure!

851 ISR's use SNTP Dummy!

So I've configured NTP on quite a few Cisco and non-Cisco devices and I expected it to be an "ntp ?" away. NTP was only mentioned in the ports reference in the configuration guide and I didn't feel like resetting/remembering my password to be able to check the good old IOS feature navigator.

sntp server 192.168.100.100
    

851w#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
851w(config)#sntp ?
 broadcast         Configure SNTP broadcast services
 logging           Enable SNTP message logging
 multicast         Configure SNTP multicast services
 server            Configure SNTP server
 source-interface  Configure interface for source address

Of course this worked like a charm on one of my 851's but the other (with a nearly) identical config (I hope) is still having problems both syncing time from that router and through the router (ntpdate's are failing from a Linux box behind it, no NAT) although the packet traces superficially look fine. The other oddity is that the OpenWRT box that is front-ending (as in iptables-masquerading) all of these (as well as a Linksys AP, probably VXWorks based) is occasionally sourcing some of the NTP traffic from UDP port 6 -- or at least that is what the tcpdump from OpenWRT says, which *can't* be right. Can it?

IOS + NET-SNMP v3 = F.U.N. (just like it said on our badge)

Statement: So anything that remotely has anything to do with ASN.1(or perhaps it is International standards organizations) is going to be a pain in the ass.

Explanation: I've been trying to squeeze in here an there some time to get Cacti working with SNMPv3 on my 851 at home (12.4(15)T). I warn you. Don't bother trying to do this intuitively -- meaning just thinking you can fill in the forms and "question mark" your way to getting the config right in IOS. Plus net-snmp command line options are also painful.

But here is how what I got working with with AuthNoPriv with a little bit of help from here. Yeah, don't go to any of the creepy Russian sites that are the top google hits for "net snmp ios snmpv3"

The stuff that shows up in your config will be. You'll probably have to define the views first.

snmp-server group cactigroup v3 auth read readview
snmp-server view readview internet included
snmp-server view readview mib-2 included
snmp-server view readview system included
snmp-server view readview interfaces included
snmp-server view readview chassis included
snmp-server location blah
snmp-server contact donkey


and the line that won't (God Bless the SFB, yeah you know what I'm talking about)


851w(config)#snmp-server user cactiuser cactigroup v3 auth md5 whateverman


And then you can make sure they are there

851w#sh snmp group
groupname: cactigroup security model:v3 auth
readview : readview writeview:
notifyview:
row status: active


851w#sh snmp user

User name: cactiuser
Engine ID: 8000000903000014A40E21BD
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: None
Group-name: cactigroup

Oh, and the worst part


mfranz@gutsy61:~$ snmpget -v3 -u cactiuser -l authNoPriv -a md5 -A whateverman 192.168.2.100 system.sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: donkey


Did it work on Cacti, don't know. Must sleep. Ubuntu says 19 minutes of battery left.

Some previously disclosed Cisco CLI Vulns, the joys of youth hockey practice, and fuzzing like a ninja

The highlight of my Sunday is my son's hockey practice at the Skatium here in Skokie. Among the more amusing things that almost always happen:

• One of the parents (who acts & looks like a coach, but I don't think he is) arguing with the real coach about religion (the parent is a Christian, probably fundamentalist, and the coach is Jewish, I assume)
• Eight and nine year olds tripping and falling on the ice and occasionally doing some nasty checks on each other (usually unintentionally)
  
• The previously mentioned parent (who is out on the ice for some reason, has a flattop and is a damn good skater) doing "hockey stops" (resulting in a shower of ice fragments) in the faces of kids. Today he also banged on his son's knee with his stick shouting "knee's can't get hurt" while his son was flat on his back, not wanting to get up.
  

All Good stuff. But other than that (and the upcoming election of the 12th Bishop of the Episcopal Diocese of Chicago , today I've been sort of been fixated on CLI vulnerabilities after my last blog entry on the futility of router vuln work in 2008 and Thomas's Quarterly Affirmation (reversing IOS images is not an option for a whole lot of reasons) so I was curious what was out there:

In cisco-sa-20060712-cucm we see this

The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line.

And in cisco-sa-20010131-arrowpoint-cli-fs

The Cisco CSS11000 must be configured to permit command line access to users by providing a management address and defining user accounts. Once command line access is gained by non privileged users (defined user accounts without administrative privileges), running a command requiring a filename, and providing a filename that is the maximum length of the input buffer can cause the switch to reboot, and a system check to be started which will prevent normal function of the switch for up to 5 minutes. The show script, clear script, show archive, clear archive, show log, and clear log commands are capable of causing the CSS to restart if the specified file name is the maximum length of the input buffer. Cisco Bug ID CSCdt08730.

And from cisco-sa-20060719-mars

The CS-MARS CLI is a restricted shell environment which allows authenticated administrators to perform system maintenance tasks. The CLI contains several privilege escalation vulnerabilities which may allow shell commands to be executed on the underlying appliance operating system with root privileges. These vulnerabilities are documented by Cisco bug IDs CSCsd29111 ( registered customers only) , CSCsd31371 ( registered customers only) , CSCsd31377 ( registered customers only) , CSCsd31392 ( registered customers only) and CSCsd31972 ( registered customers only) .

And Cisco Security Response: Cisco IOS Reload on Regular Expression Processing

Some regular expressions that make use of combined repetition operators ('*' or '+') and pattern recalls ("\1", "\2", etc.) into the same expression may result in a stack overflow on the Cisco IOS regular expression engine. A stack overflow will result in a reload of the device.

Given the ubiquity of dumb (IOS-like) shells on network devices (and not just on Cisco boxes), it would appear that this might be fertile ground for a tool that:

• Allowed you to connect to various transports (SSH, Telnet, serial)
• Obviously support authenticated/unauthenticated sessions and configuration modes
  
• Using built in command expansion and help documentation, map out the various commands (and their syntax) depending on the helpfulness of the shell you could probably prepopulate various payloads for common configuration parameters that have to be parse (IP addresses, netmasks, hashes, etc.)
  
• Could leverage some existing fuzzing/fault injection framework so you would have to generate control characters, malformed arguments, and other sequences
  

Although this is sort of intriguing, I doubt I have the time to pull this off. And if I've managed sketch up this idea, somebody has probably already written a tool like this somewhere. And if not, it would certainly be a more useful project than what they are teaching the kidz these days at Berkeley. Of course I'm probably just bitter that I couldn't get into any dept. there, let alone that one. Yeah some parent's hard-earned cash is going towards having their little one learn how "fuzz like a Ninja."