Security Exploit in QuickVPN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by makeit_quick, Aug 12, 2006.

  1. makeit_quick

    makeit_quick LI Guru Member

    Unfortunately, the negotiation with Linksys-Cisco to get a fix or have
    the full compilable build - to make a fix... were failed!!!

    this security hole is being released on the wild - perhaps it will get
    more attention and customer calls to Linksys-Cisco.

    you can however get the file: if needed.

    Adminstrative edit
    you'll also find chris547 blabbing on that Linksysinfo is being paid by linksys because we closed this thread. LET ME MAKE IT QUITE CLEAR. The accusation from chris547 are untrue. LINKSYSINFO IS NOT PAID BY LINKSYS.
  2. Toxic

    Toxic Administrator Staff Member

    Thanks for the info! I take it the author has full expanatory notes and can prove his findings to linksys/cisco if required to do so?
  3. makeit_quick

    makeit_quick LI Guru Member

    The author specifies the tools which were used and encourages its readers to re-check the claims (in case they can figure out how to use the tools). If there is any incorrect information, send him your feedback and he'll correct it. As far as I can tell, this is unfortunately accurate and puts Linksys-Cisco in a very unpleasant situation.
  4. ka9yhd

    ka9yhd LI Guru Member

    You need to be a member of BOTH Yahoo Groups and wrv54g group to view it.
  5. Toxic

    Toxic Administrator Staff Member

    I have fowarded this to a number of linksys contacts. since this so called Senoir Software Engineer has not the ability to do it himself :)

    some people just dont have the knack of communicating the correct words for people to listen in the right places i guess. Why has the author askedpeople to spread this about instead of contacting Linksys direct is beyond me. how do you thik linksysinfo has contacts in linksys/cisco. we asked.......

    maybe he perfers others to do his dirtywork for him:) it is now in the hands of the right people.
  6. makeit_quick

    makeit_quick LI Guru Member

    I don't recall the wording of spread encouragement (I only see the permission to distribute this art of work).
    You seem to be mocking the author, without being in the communication process between Linksys and the author. Do you know something we don't?
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Alright peops, here's what "I" know, so let's tone down the volume on this "Shock and Awe" propaganda before it gets out of hand...

    The document is a good read, albeit, unsubstantiated, period.

    It’s nice to see initiative taken by someone to see the open community get a good product, but the author has left out a fundamental part: “empirical evidence,” better yet said, outlining the steps he took “systematically” to allow others to reproduce his findings. Instead, the author has stated “I used Cain & Abel,” and “If I were looking to implement my own tool, it would take a day or two.” It appears that the author of this document is trying to make a name for himself. Good on him, but if you’re going to make a name, have your “shizell in order,” and that appears to be lacking right now.

    He continually speaks of how a hacker “could,” “might,” and so on, but doesn’t show us exactly how these feats could be done. I could state “by using an IPSEC Scanner, I can successfully extract information from quickvpn,” but what good is that statement without hard facts, numbers, and retraceable steps, and better yet, a demonstration on how it’s done? It’s not worth a damn. All I’ve done is throw out unsubstantiated literature. This guy has thrown a needle in the haystack and said, “Go find the answers like I did;” his research is now open to various types of interpretation because initial steps of discovery aren’t defined by him. The author has done nothing more than “state findings” he’s come across but he hasn’t left any guidance as to how others can properly reproduce what’s he’s claiming to have found.

    If what he’s found is accurate, then this is something Linksys needs to be held accountable for. Here’s the problem: he hasn’t left any way for anyone to “trace his footsteps” to verify his findings; this is the proverbial “loaded gun/question” to where the author is the “only one with the answer” and the community at large must do the “guesswork” so as to hopefully arrive at the same conclusion he did; what type of research is that??!?!?! Hmmm, this seems like a job for the “scientific method...”

    Until undisputable, replicable research is provided that would allow “anyone” to follow and reach the same conclusion as the author, this document could (and should) be construed as “popular conjecture” (Hell, “Urban Myth”) until verified, most likely, through a “peer-reviewed” process (established reviewers of I.T. information such as the IEEE, IETF, SANS, etc…).

    I’m not showing disdane for what this guy has done because I’m an avid Linksys buyer, but as someone with a scientific background (B.S., psychology, currently working on Master’s), I “personally” as a business owner would expect statements/actions of this caliber that could affect my income to be justified and capable of being reproduced by the masses.

    Furthermore, Quickvpn uses the "exact" same IPSEC structure that the Microsoft IPSEC vpn client uses (as utilized with FreeSwan); if you don't believe me, go to the following directory on a computer using quickvpn:

    c:\program files\linksys\linksys vpn client

    Once in the directory, click on the MMC icon that says "IPSEC." Then, in the right window pane, "right" click on "FreeSwan" and hit properties. What you have there is "the" source of quickvpn, microsoft IPSEC policy.

    What I'm saying now is that this mystery author has stated to the world the Microsoft's IPSEC VPN policy is insecure and that the microsoft OS is a security risk.

    Should this prove to be unsubstantiated, this dude better be ready for litigation; if there's truth in it, then he should be commended...

    So, makeitquick, please don't take a confrontational stance towards Toxic's statements because he (Toxic) could be held liable for propagating unsubstantiated literature that can be construed as defaming towards Linksys, CISCO, and Microsoft "if" it proves to not be true; linksysinfo is here to provide assistance "and" accurate information, which this document has yet to prove itself as being. We don't need anyone crawling in our rear orifices with microscopes and CAT5 cable because someone threw a pdf together stating that Linksy's primary #1 seller is a "major" security leak.

  8. Toxic

    Toxic Administrator Staff Member

    Thanks for that. You forgot, makeitquick is also liable. he posted it on a public forum:)

    Now, I wonder why if this finding it true, that the info is held on Yahoo private groups and not been publicly recorded on the vast amount of "security websites" as a vunerability issue before now?

    Perhaps the truth is hidden? I have passed this info on to Linksys, and this thread will now be closed incase of any legal alegations that may start.

    The documentation is the authors point of view and NOT linksysinfo's or anyone affilated with linksysinfo.
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    One more thing, what method of research have you used that tells you that the author's information is accurate? Please understand, this "is not" a "gang up on makeit_quick" session. A lot of people come to this site about quickvpn information, and if there's any means you know of that accurately accounts for creating a means of testing this claim, we'd like to know so we ourselves can follow the path...

  10. Toxic

    Toxic Administrator Staff Member

    Direct download of the File has now been removed. This is due because of inconsistancies and errors found in the documentation. if the documentation had been just a report on just the issue of a security flaw with full proof we could have allowed it. But assumptions, uncertain facts cannot show an exact flaw.

    As said before however, linksys have been made aware of the document and its findings.

    watch this space.
  11. Toxic

    Toxic Administrator Staff Member

    Ok just received an update on QuickVPN from one of the Product marketing managers.

    QuickVPN is however not broken until someone hacks it. yes it can be hacked but then so can anything in the world. As linksys has stated, they are aware of the issue and are working on a fix.

    Mr Valenci can give himself a pat on the back for finding the issue, however others can buy a box of tissues, the thread still stays closed. :cry:

    why because mr watts and co. think this is a conspiracy theory.

    now if there was a conspiracy why would i release this information? :doh:

    no doubt the conspiracy theory clan have an answer for that one as well.

    btw i dont want to hear it.
  12. Toxic

    Toxic Administrator Staff Member

    Is quickVPN safe.

    Ok reply 2, since we users are using the QuickVPN route. This is from linksys, and not us....

  13. Toxic

    Toxic Administrator Staff Member

    This thread is now open for discussion, however the flaw has been found and picking holes in comments is not the topic or this websites aim.

    Therefore if you wish to use other alternatives, please feel free to do so until the issue has been fixed.

    There are a number of other VPN clients that you may wish to use, until this exploit has been fixed. SSH Sentinel, OpenVPN, Greenbow, and if your router supports it, PPTP. Windows has its own built in PPTP VPN client.

    Routerworld (though outdated) does have a Setup guide for SSH Sentinel and Windows PPTP Client.

    If anymore VPN clients are known to anyone please feel free to post them here.

    Please stick to facts, and not assumptions based on conspiracy theories OR slander. it lowers the tone of a good thread and wont be tolerated.
  14. chris547

    chris547 Network Guru Member

    I'm not sure what they refer to as obscurity of those who want to do harm, but I have heard in the passed suguestions that home users don't need firewalls due to them operating in obscurity from those who want to do them harm. This of course is totally incorrect since the days of hackers attacking just large companies has gone and what a large majority of hackers are looking for is personal finance details and these can usually be found anywhere!

    The problem here is that Linksys are thinking from a wired point of view. True in a wired network it is hard to spoof or manipulate DNS records or IP routing tables but with wireless hotspots this is far more easy to do and is currently happening as we speak.

    What has sprung up over the years is rouge wifi hotspots or what's called Evil twining where a hacker sets up another hotspot near to an authentic one but with a similar name. Thus all the hacker has to do is use iptables to insert themselves between the client and server and bobs your uncle!

    Since rouge hotspots are nearly as prevalent as rouge websites and assuming that it would be common for Quickvpn to be used in a wifi enviroment thus this problem would be more serious than first considered!
  15. Toxic

    Toxic Administrator Staff Member

    Then perhaps a warning on the Client VPN Access page should be added when a client is added to that page, if Wireless is enabled but no encryption is present :)
  16. chris547

    chris547 Network Guru Member

    Most wifi hotspots don't have encryption present and if they did your data would still be secure between you, the server and if your on a rouge hotspot unfortunately the hacker.

    I would imaging that when Quickvpn is looked at something would have to be added to detect that a new certificate was now in effect for a remote connection warning the user like I.E does.

    Until then if people do use Quickvpn via Wifi hotspots I'd advise to first check on the internet to see where the legitimate hotspots are actually located, what the hotspots name should be and to change the Quickvpn password regularly on the server!
  17. DocLarge

    DocLarge Super Moderator Staff Member Member

    Fortunately, when setting up permissions to use quickvpn, an option can be enabled to allow the user to either "change" their password or "not change" their password after they authenticae with their router. So, when a session begins, a user has the option to keep the password they have, or somewhere doing the session change it to something else. Unless someone is capable of capturing the traffic going through the tunnel at a precise moment in time, the session between quickvpn and the WRV54G/RV0XX/WRV200 routers are still viewed as secure (even though the encryption is symmetric and being changed over the air).

    Regardless of that being said, people can still relax and know they still have a more than acceptable level of security as they conduct their session. As previously mentioned, the attacker would have to literally know "when you initiate the session" in order to "attempt" to capture your data to include "knowing you are there." Nothing is totally safe, and that goes without saying.

    An attacker not having your information does protect you based on the standpoint of "obscurity" but it's not something to depend on....

  18. Toxic

    Toxic Administrator Staff Member

    tbh if a Client is using QuickVPN to connect to his company, the company should have a security policy set out for ALL wireless connections so he does NOT connect to "any" open hotspot but to a recommended and secure hotspot that the firm uses on a regular basis.
  19. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Not worried about it..haven't implemented the QuickVPN in any of my clients yet...I feel it's still been maturing with the firmware, and IMO the built in PPTP VPN has been doing just fine.

    However..this appears to be one of those "technical excercise exploits"..that's darned near impossible to actually happen in real life. Too many things have to line up..
    Choose a rogue hotspot...on a Wednesday, at precisely 2125, on a full moon, stand on your left foot..announce out loud precisely when you're going to log in... ... Bah! Those who wish to do wrong choose easier targets than that.

    There's only so much sleep one can lose in IT...I choose to follow some best practices...and I've been a fan of the "Security through Obscurity" creed.

    Regardless..good to point out and for Simon to passing it onto the appropriate peeps at Linksys. Was about to replace an older PIX501 at a client with an RV016...and implement the QuickVPN...I might hold off if a fix is near..since getting all the nurses laptops together to upgrade QuickVPN again when a new version comes out will be a pain.
  20. chris547

    chris547 Network Guru Member

    Actually it's very easy to do, it just requires simple program and a single command line in linux. Although the hacker is obviously going to be looking first for those people who have mistaken the hotspot for an authentic one and provided their credit card details, next logons to bank accounts and finally they might investigate the strange command line that Quickvpn has sent.

    They will then get back tunnel details which they've first got to realise is tunnel details and finally they can establish a tunnel, although if you change your password regularly they will probably get nothing since hopefully you'd have changed your password by then!
  21. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I read (the very poorly worded and extremely scanty scholarly diatribe) posting by the Moshe Valenci. Admittedly, I threw it to the side (I'm too darn busy) when I first read it because of the poor english and the generally ranting/posturing nature of the writing. It seemed arrogant and sparse so I wasn't that interested in reading it through.

    Someone much smarter than me once said, "Look past the messenger if you want to get the message". That voice echoing in the back of my mind, I actually read the darn thing and you know what?....I think he's on to something if what he says is correct.

    What he's saying can be boiled down to something very simple. The QuickVPN client will accept any box's site certificate. It's that trusting. The client will trust to the point of coughing up it's own username/password to anyone. Whether it's in the clear (it isn't) or not is immaterial as he proposes that you can setup a MiM attack where you can fool the QuickVPN client into showing you its private parts on a TLS-encrypted link. That would be in step (3) below [the trace below is a summary of an actual QuickVPN session being established and is observed by a box on a common subnet]

    What this means is that if the user hasn't misspelled his username and password an attacker can now login to the VPN gateway with these credentials. He then muddies the waters by suggesting a broader, but tangential, issue where all Linksys boxes of same make/model have the same certificate installed on them. You cannot easily replace the certificate. I suspect that the certificate is only replaced when you do a firmware upgrade. But who cares? The issue remains that the QuickVPN client trusts everyone. Gullible git software!

    This is a very specialized attack by a motivated attacker. As someone pointed out in a separate post there are a lot juicier exploits that a potential attacker will sink their teeth into before attacking your QuickVPN connection. Should you be worried? Yes. But first a caveat: I suspect that the threat level is similar to the likelihood of being killed in a terrorist attack. If you are doing a bunch of simple things like using switched infrastructure with no port mirroring on a campus network the chance that an attacker will intercept and use your credentials is incredibly small.

    Summary Trace of QuickVPN Session Establishment (C = Client; S = Server)
    1. C-to-S: HTTPS - TLSv2 Client Hello -- ie: client knocks on server door;
    2. S-to-C: HTTPS: Server Hello, Certificate Exchange w/ client
    3. C-to-S: HTTPS: Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    4. S-to-C: HTTPS: Change Cipher Spec, Encrypted Handshake Message (basically an ACK)
    5. S-to-C: ISAKMP: Identity Protection (Main Mode)
    6. S-to-C: ISAKMP: Identity Protection (Main Mode)
    7. C-to-S: HTTPS: Application Data (ie: username/password [?])
    8. S-to-C: HTTPS: Application Data
    9. C-to-S: HTTPS: Encrypted Alert
    10. C-to-S / S-to-C: ISAKMP: several more Identity Protection (Main Mode) messages
    11. C-to-S / S-to-C: ISAKMP: agree to switch to Quick Mode --probably agreeing on ciphers for Phase II
    12. -- IKE Phase I Established --
    13. -- IKE Phase II Established -- using ESP (ie: protocol 50)
    14: Lots of ESP (S-to-C and C-to-S) as encrypted data moves in VPN between peers.

    I think it's very important to realize that this attack's efficacy is a bit overstated but nevertheless demonstrates a vulnerability that needs to be addressed.

  22. Toxic

    Toxic Administrator Staff Member

    Wow... so few words to explain the same thing as that document.

    I was right - document has more text on how to attack linksys/cisco than actual facts :)

    Once again thanks eric!
  23. TazUk

    TazUk Network Guru Member

    The other thing to take into account is the rather low usage of the QuickVPN client, it's only used to connect to Linksys routers and then only specific models, i.e. WRV's and RV's. I think you'd need to spend a lot of time at an internet cafe or wireless hotspot before someone using it popped along :)
  24. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    My comment wasn't stating that it's impossible to exploit this possible comment was " reality does anything think it's going to actually happen?" Let me rephrase that..." the real world? Not in a hackers lab with a carefully crafted/controlled simulation".

    Almost everything out there has a security vuln or two...even the biggest names. I don't follow the path of wearing too many tin foil hats over them.
  25. chris547

    chris547 Network Guru Member

    Yes it would happen in the real world! Hardly any private information these days is transmitted over a standard http connection and only in a hackers lab would someone try to decode data encrypted over a https: connection. So the only route left is to substitue the certificate for their own. Of course no one's going to write a program just for Quickvpn, it's more likely designed to catch all traffic and I.E. does warn when this is done, although Quickvpn doesn't!
  26. makeit_quick

    makeit_quick LI Guru Member

    Well you had to time writing this reply, you probably like criticizing the "wording" more than you want to read (not to mention understand).

    It's used to hack ALL the line of routers that uses QuickVPN... and it's not just two.

    Finally, be warned that there are new plugins that start harvesting that info.
  27. DocLarge

    DocLarge Super Moderator Staff Member Member

    Why Must It Always Be You? :)

    Makeit_Quick, a.k.a. "Mr Valencia" or whomever you are this week,

    once again, you come into the forum bearing controversy and "unsubstantiated nonsense" to include playing the role of the victim. As opposed of reading through Eric's post in entirety, you've "again" chosen to find a "supposedly" negative connotation and attempt to "exploit" (I believe that's the popular word you're using to incite at the moment, right?) Eric's commentary by taking your typical position of "Somebody didn't agree with my findings. Had "you" bothered reading further, you would have noticed his next paragraph:

    As you sit here attempting to criticize this man, he actually gave you credit for noticing something; instead, in a rush to respond in a "direct manner" (as you've stated about your culture in the yahoo forums) you've again proven that your cultural aspect of conversation loses credibilty and acceptance when translated to others.

    The responsible people of "Linksysinfo" (regardless of culture) don't communicate the way you do which makes you the odd man out so I'm saying this to you directly and make sure you understand: you need to "acclimate yourself" to the structure of this forum if you expect anyone to take you serious, and this is something you need to make_quick, "post haste." Furthermore, if this word "acclimate" isn't a part of your culture, I'll help you out:

    The Quickvpn exploit isn't a "gaping hole" that you make it out to be. Yes, it can prove to be insecure, but no more than a locked car door with a breakable glass window. Just because it's there, doesn't mean everybody wants to get in, period. Quickvpn can be fortified, and will be; in the interim, if people stick to the basic security guidlines echoed throughout this forum of "intricate passwords" and security of the computer systems, incidents will be minimized, so stop trying to "scare up notoriety!"

    Furthermore, whether you realize this or not, Eric_Stewart has credentials in security (certified in Cisco Security, actually), so, as I've stated to you before, be careful of who you chastise; credible people post here.

  28. TazUk

    TazUk Network Guru Member

    Who said it was only two :confused: I said it was only certain models by Linksys, which it is. The last time I checked that includes the RV's, WRV54G and WRV200. Presumably the new RV models will also work with QuickVPN too.
  29. makeit_quick

    makeit_quick LI Guru Member

    The problem is mainly in the client software, the routers does not have to exist in order to hack the client...

    unless proper fix is published to the client and the server (router) - all router software is assumed insecure (as well as client)
  30. TazUk

    TazUk Network Guru Member

    If the router didn't exist, i.e. you didn't have a router which supports QuickVPN, then why would you be using the client :confused:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice