[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:03.73,Default,,0000,0000,0000,,[Translated by {Iikka}{Yli-Kuivila}\N(ITKST56 course assignment at JYU.FI)]
Dialogue: 0,0:00:03.73,0:00:31.34,Default,,0000,0000,0000,,{\i1}33C3 preroll music{\i0}
Dialogue: 0,0:00:31.34,0:00:35.20,Default,,0000,0000,0000,,Herald: Welcome back to the festival\Nstage, still day two according to my
Dialogue: 0,0:00:35.20,0:00:40.97,Default,,0000,0000,0000,,clock, even though I have lost all sense\Nof time by now, I don't know. It's like a
Dialogue: 0,0:00:40.97,0:00:45.44,Default,,0000,0000,0000,,kind of rush year with so many great\Ntalks, and we'll have the next super
Dialogue: 0,0:00:45.44,0:00:52.64,Default,,0000,0000,0000,,awesome talk held by Jiska, Gerbert and\NMatthias. And those three lovely people
Dialogue: 0,0:00:52.64,0:00:59.78,Default,,0000,0000,0000,,will be showing us something about VPNs.\NSo-called very pwnable networks and why
Dialogue: 0,0:00:59.78,0:01:05.99,Default,,0000,0000,0000,,your VPN might not be as secure as you\Nthink or have been led to believe. And
Dialogue: 0,0:01:05.99,0:01:10.91,Default,,0000,0000,0000,,this is not only important for the people\Nthat think like, haha, I'm behind seven
Dialogue: 0,0:01:10.91,0:01:15.83,Default,,0000,0000,0000,,proxies. You can't catch me. But also,\Nmaybe if your employer says, please use
Dialogue: 0,0:01:15.83,0:01:21.18,Default,,0000,0000,0000,,this VPN client and there might be some\Nsurprises waiting for you. And this is
Dialogue: 0,0:01:21.18,0:01:26.35,Default,,0000,0000,0000,,again, a pre-recording, and afterwards I\Ncan already see them here in our tools,
Dialogue: 0,0:01:26.35,0:01:32.49,Default,,0000,0000,0000,,but afterwards we will do a Q&amp;A session.\NSo if you have any questions, put them
Dialogue: 0,0:01:32.49,0:01:40.86,Default,,0000,0000,0000,,into the IRC or on Twitter or Mastodon\Nwith the hashtag #rc3cwtv. And our lovely
Dialogue: 0,0:01:40.86,0:01:46.37,Default,,0000,0000,0000,,Signal Angel will collect them and we'll\Nsee each other after the pre-recording.
Dialogue: 0,0:01:46.37,0:01:48.46,Default,,0000,0000,0000,,Jiska: Everyone and welcome to the talk
Dialogue: 0,0:01:48.46,0:01:56.17,Default,,0000,0000,0000,,Very Pwnable Network which is by Gerbert,\NMatthias and me. So how did all start?
Dialogue: 0,0:01:56.17,0:02:02.37,Default,,0000,0000,0000,,Well, I got a little bit paranoid last\Nyear and I just thought it might be a good
Dialogue: 0,0:02:02.37,0:02:08.51,Default,,0000,0000,0000,,idea to encrypt a lot because Wi-Fi, LTE,\NTLS it might be intercepted, might be
Dialogue: 0,0:02:08.51,0:02:14.42,Default,,0000,0000,0000,,decrypted. So we should encrypt like\Neveryone is watching and so I should use a
Dialogue: 0,0:02:14.42,0:02:20.11,Default,,0000,0000,0000,,VPN on top. And then the next trust\Nassumption was that I connect to my
Dialogue: 0,0:02:20.11,0:02:26.74,Default,,0000,0000,0000,,university's network every day, so I\Nshould trust this one anyway. And if I
Dialogue: 0,0:02:26.74,0:02:30.71,Default,,0000,0000,0000,,trust this network, then I could also use\Nthis network and their professional VPN
Dialogue: 0,0:02:30.71,0:02:36.06,Default,,0000,0000,0000,,service. I hear you laughing, I hear\Nlaughing but so this was my idea because
Dialogue: 0,0:02:36.06,0:02:42.57,Default,,0000,0000,0000,,then there is no additional thing that I\Ntrust during my network activity. And
Dialogue: 0,0:02:42.57,0:02:47.61,Default,,0000,0000,0000,,well, they had this nice AnyConnect line\Nthat just works on all operating systems.
Dialogue: 0,0:02:47.61,0:02:53.25,Default,,0000,0000,0000,,So it also sounds like a great product\Nname for a secure product like AnyConnect.
Dialogue: 0,0:02:53.25,0:03:00.18,Default,,0000,0000,0000,,Yeah. And then I started using this on my\Nmobile devices, right? And then suddenly I
Dialogue: 0,0:03:00.18,0:03:06.44,Default,,0000,0000,0000,,got crash logs and it looked like this. So\NI mean, if you're paranoid, you obviously
Dialogue: 0,0:03:06.44,0:03:11.84,Default,,0000,0000,0000,,look into your crash logs every two days\Nand one of these crash logs was this one.
Dialogue: 0,0:03:11.84,0:03:17.17,Default,,0000,0000,0000,,It didn't really look nice the address\Nlooks a bit strange, and you also have
Dialogue: 0,0:03:17.17,0:03:21.85,Default,,0000,0000,0000,,some trace of the crashed thread. And if\Nyou log this into IDA and do a little bit
Dialogue: 0,0:03:21.85,0:03:25.54,Default,,0000,0000,0000,,of reverse engineering, you can also add\Nsome function names in the AnyConnect
Dialogue: 0,0:03:25.54,0:03:31.54,Default,,0000,0000,0000,,extension, the AC extension and the crash\Nis somewhere when it applies VPN config
Dialogue: 0,0:03:31.54,0:03:37.16,Default,,0000,0000,0000,,somewhere in the - in the tunnel buffers.\NI don't know. So - and then also, the
Dialogue: 0,0:03:37.16,0:03:44.22,Default,,0000,0000,0000,,address looks strange because the address\Nis IP version four backwards and then a
Dialogue: 0,0:03:44.22,0:03:52.02,Default,,0000,0000,0000,,few days later I got another crash and\Nthis crash read like 68k New Line. And so
Dialogue: 0,0:03:52.02,0:03:56.67,Default,,0000,0000,0000,,it really looked like some configuration\Nstrings that were crashing at certain
Dialogue: 0,0:03:56.67,0:04:02.11,Default,,0000,0000,0000,,addresses, so it really didn't look good.\NBut I also didn't have that much time. So
Dialogue: 0,0:04:02.11,0:04:06.94,Default,,0000,0000,0000,,I just wrote Cisco and said, like, so do\Nyou mean to serious like, is your client
Dialogue: 0,0:04:06.94,0:04:13.18,Default,,0000,0000,0000,,really crashing that often? Because every\Ntime I do my laundry, I have bad Internet
Dialogue: 0,0:04:13.18,0:04:20.37,Default,,0000,0000,0000,,connectivity, so my any - my AnyConnect\Nclient starts to crash at weird addresses.
Dialogue: 0,0:04:20.37,0:04:26.89,Default,,0000,0000,0000,,And while this is like an issue for code\Nexecution, the other issue is that if you
Dialogue: 0,0:04:26.89,0:04:30.95,Default,,0000,0000,0000,,just jam a few packets over the air, then\Nan attacker might be able to disconnect
Dialogue: 0,0:04:30.95,0:04:38.36,Default,,0000,0000,0000,,the victim from a VPN. So that is also an\Nissue. So because the AnyConnect client is
Dialogue: 0,0:04:38.36,0:04:44.01,Default,,0000,0000,0000,,not properly included in the operating\Nsystem iOS, and that means that you would
Dialogue: 0,0:04:44.01,0:04:48.13,Default,,0000,0000,0000,,just reconnect and send your messages in\Nplaintext over the network and the user
Dialogue: 0,0:04:48.13,0:04:52.44,Default,,0000,0000,0000,,does not get any notification. It's just a\NVPN symbol that has gone and all traffic
Dialogue: 0,0:04:52.44,0:04:58.03,Default,,0000,0000,0000,,is sent in plaintext. And I wanted to\Nanalyze this a little bit further and
Dialogue: 0,0:04:58.03,0:05:01.59,Default,,0000,0000,0000,,there is a debugging option in the\NAnyConnect client. But since it's in the
Dialogue: 0,0:05:01.59,0:05:07.48,Default,,0000,0000,0000,,client that crashes, the logs are just\Ngone. If you have a crash and even worse
Dialogue: 0,0:05:07.48,0:05:12.34,Default,,0000,0000,0000,,also the operating system crash logs in\NiOS are missing if you have the debugging
Dialogue: 0,0:05:12.34,0:05:19.18,Default,,0000,0000,0000,,option enabled. And well they answered:\N"We cannot reproduce this". I mean,
Dialogue: 0,0:05:19.18,0:05:23.52,Default,,0000,0000,0000,,obviously they didn't help me with my\Nlaundry or anything so they could not
Dialogue: 0,0:05:23.52,0:05:30.23,Default,,0000,0000,0000,,reproduce. And even worse, they ignored\Nthe ticket for a long time until we said
Dialogue: 0,0:05:30.23,0:05:37.10,Default,,0000,0000,0000,,we are going to present this at this\Nyear's CCC congress. And then 10 days
Dialogue: 0,0:05:37.10,0:05:40.52,Default,,0000,0000,0000,,before the talk they claimed that they had\Nfixed two out of the three crashes and
Dialogue: 0,0:05:40.52,0:05:44.40,Default,,0000,0000,0000,,were asking if we could reproduce the\Ncrashes or not. But just a day before they
Dialogue: 0,0:05:44.40,0:05:51.51,Default,,0000,0000,0000,,said like they were not sure and so on. So\Nit was really a weird ticket there and I
Dialogue: 0,0:05:51.51,0:05:55.04,Default,,0000,0000,0000,,have no idea if things are fixed or not,\Nbecause to reproduce, I obviously need
Dialogue: 0,0:05:55.04,0:05:59.95,Default,,0000,0000,0000,,like tinfoil. I need like a couple of\Nsmart phones with the AnyConnect client
Dialogue: 0,0:05:59.95,0:06:04.25,Default,,0000,0000,0000,,installed, and then I need to walk around\Nand hope that the Internet connection
Dialogue: 0,0:06:04.25,0:06:08.06,Default,,0000,0000,0000,,breaks and that it breaks in a way that\Nproduces a crash. So this is just way too
Dialogue: 0,0:06:08.06,0:06:17.03,Default,,0000,0000,0000,,random. I also told Apple and Apple just\Nsaid, Well, the issue is that the client
Dialogue: 0,0:06:17.03,0:06:21.59,Default,,0000,0000,0000,,crashes so it's not really their\Ndepartment, even though it's the network
Dialogue: 0,0:06:21.59,0:06:28.84,Default,,0000,0000,0000,,extension that crashes. So it's not their\Ntask here to notify the user. It's just
Dialogue: 0,0:06:28.84,0:06:33.30,Default,,0000,0000,0000,,the VPN that is gone. And then you send\Ndata in plaintext and this is all right.
Dialogue: 0,0:06:33.30,0:06:41.17,Default,,0000,0000,0000,,This is the expected behavior. So I got a\Nbit annoyed and stopped using VPNs, but I
Dialogue: 0,0:06:41.17,0:06:47.24,Default,,0000,0000,0000,,also had the idea to find students who\Nmight look into this. And well, you know
Dialogue: 0,0:06:47.24,0:06:52.37,Default,,0000,0000,0000,,what happens when you find very motivated\Nstudents, they find vulnerabilities. And
Dialogue: 0,0:06:52.37,0:06:54.59,Default,,0000,0000,0000,,this is what this talk is going to be\Nabout.
Dialogue: 0,0:06:54.59,0:06:59.93,Default,,0000,0000,0000,,Gerbert: So we had a look at the Cisco\NAnyConnect client for Linux and found some
Dialogue: 0,0:06:59.93,0:07:04.46,Default,,0000,0000,0000,,interesting things. Shortly after\Npublishing our findings, several news
Dialogue: 0,0:07:04.46,0:07:09.93,Default,,0000,0000,0000,,articles popped up. But what happened\Nbetween the crashes of Jiska and these
Dialogue: 0,0:07:09.93,0:07:17.81,Default,,0000,0000,0000,,articles? VPN is interesting because it is\Nsuch an old research topic. However, the
Dialogue: 0,0:07:17.81,0:07:23.11,Default,,0000,0000,0000,,importance of the technology was later\Nincreased by the corona pandemic. Many
Dialogue: 0,0:07:23.11,0:07:29.64,Default,,0000,0000,0000,,companies had to relocate to home offices\Nto meet the safety measures. VPN allows
Dialogue: 0,0:07:29.64,0:07:36.24,Default,,0000,0000,0000,,users from outside to access internal\Nresources of the company or university. To
Dialogue: 0,0:07:36.24,0:07:42.69,Default,,0000,0000,0000,,connect to a VPN server, additional client\Nsoftware is usually required. Besides open
Dialogue: 0,0:07:42.69,0:07:49.02,Default,,0000,0000,0000,,source products, such as openVPN, a lot\Nof closed source software is offered on
Dialogue: 0,0:07:49.02,0:07:55.40,Default,,0000,0000,0000,,the market. Especially in the enterprise\Nsector. The users are forced to trust this
Dialogue: 0,0:07:55.40,0:08:01.93,Default,,0000,0000,0000,,software, install a black box in their\Nsystem in order to connect to a network.
Dialogue: 0,0:08:01.93,0:08:09.01,Default,,0000,0000,0000,,AnyConnect secure mobility client from\NCisco is an enterprise software solution.
Dialogue: 0,0:08:09.01,0:08:13.65,Default,,0000,0000,0000,,AnyConnect can be classified as a remote\Naccess client that allows end-users to
Dialogue: 0,0:08:13.65,0:08:21.55,Default,,0000,0000,0000,,connect to a network that supports SSL VPN\Nand also IPsec. When using SSL VPN the
Dialogue: 0,0:08:21.55,0:08:29.51,Default,,0000,0000,0000,,authentication and the establishment of a\NVPN tunnel is carried out via an SSL or
Dialogue: 0,0:08:29.51,0:08:35.65,Default,,0000,0000,0000,,TLS tunnel. The software acts as a fat\Nclient that communicates with the VPN
Dialogue: 0,0:08:35.65,0:08:42.33,Default,,0000,0000,0000,,server via HTTPS. As already mentioned the\Nsource code for AnyConnect is not publicly
Dialogue: 0,0:08:42.33,0:08:48.50,Default,,0000,0000,0000,,available. The application is distributed\Nwith compiled binaries and libraries.
Dialogue: 0,0:08:48.50,0:08:54.21,Default,,0000,0000,0000,,Although the application is documented, it\Ndoes not cover internal functionality.
Dialogue: 0,0:08:54.21,0:08:59.16,Default,,0000,0000,0000,,Even the vulnerability disclosures, which\Nare published in public advisories, do not
Dialogue: 0,0:08:59.16,0:09:04.63,Default,,0000,0000,0000,,go into much technical detail. Therefore\Nthere is only limited knowledge about the
Dialogue: 0,0:09:04.63,0:09:10.89,Default,,0000,0000,0000,,application and its internal behavior. We\Nhave set ourselves the goal to examine
Dialogue: 0,0:09:10.89,0:09:19.65,Default,,0000,0000,0000,,AnyConnect for Linux and iOS in a recent\Nversion. The main functionality of
Dialogue: 0,0:09:19.65,0:09:25.38,Default,,0000,0000,0000,,AnyConnect is the establishment of VPN\Nconnections, but this is only the tip of
Dialogue: 0,0:09:25.38,0:09:31.68,Default,,0000,0000,0000,,the iceberg. AnyConnect also connects\Nnumerous other features, to name a few:
Dialogue: 0,0:09:31.68,0:09:37.23,Default,,0000,0000,0000,,The distribution and execution of scripts\Non host systems, automatically updating
Dialogue: 0,0:09:37.23,0:09:43.47,Default,,0000,0000,0000,,the software without asking the user for\Npermission. Another feature is host scan:
Dialogue: 0,0:09:43.47,0:09:49.31,Default,,0000,0000,0000,,it does not integrate into AnyConnect, but\Nit is considered as a standalone software.
Dialogue: 0,0:09:49.31,0:09:54.18,Default,,0000,0000,0000,,It works together with the AnyConnect\Ninfrastructure and makes it possible to
Dialogue: 0,0:09:54.18,0:10:00.55,Default,,0000,0000,0000,,read out extensive system information of\Nthe host and transmit them to VPN server.
Dialogue: 0,0:10:00.55,0:10:08.87,Default,,0000,0000,0000,,The related work of AnyConnect is based on\NCisco's public advisories and blog entries
Dialogue: 0,0:10:08.87,0:10:14.66,Default,,0000,0000,0000,,from certain security researchers.\NTherefore, we decided to list and
Dialogue: 0,0:10:14.66,0:10:21.47,Default,,0000,0000,0000,,categorize all vulnerabilities since 2011.\NOn this diagram, we see a list of
Dialogue: 0,0:10:21.47,0:10:27.43,Default,,0000,0000,0000,,vulnerabilities per year, ordered by\Nseverity. Most of the time reported
Dialogue: 0,0:10:27.43,0:10:33.29,Default,,0000,0000,0000,,vulnerabilities are classified as medium,\Nbut even critical vulnerabilities were
Dialogue: 0,0:10:33.29,0:10:44.01,Default,,0000,0000,0000,,disclosed in 2011 and 2012. The increased\Nnumbers in 2015 and 2016 caused numerous
Dialogue: 0,0:10:44.01,0:10:51.38,Default,,0000,0000,0000,,vulnerabilities of libraries such as\NOpenSSL. The vulnerabilities were then
Dialogue: 0,0:10:51.38,0:10:57.42,Default,,0000,0000,0000,,divided into categories and illustrated in\Nthe diagram. Cryptographic vulnerabilities
Dialogue: 0,0:10:57.42,0:11:04.37,Default,,0000,0000,0000,,are the most common as AnyConnect uses\NOpenSSL and vulnerabilities in OpenSSL are
Dialogue: 0,0:11:04.37,0:11:10.05,Default,,0000,0000,0000,,also vulnerabilities in AnyConnect.\NHowever, excluding the third-party
Dialogue: 0,0:11:10.05,0:11:15.77,Default,,0000,0000,0000,,vulnerabilities, the category of most\Nvulnerabilities affecting AnyConnect would
Dialogue: 0,0:11:15.77,0:11:21.51,Default,,0000,0000,0000,,be privilege escalations. Closely followed\Nby denial of service attacks, which are
Dialogue: 0,0:11:21.51,0:11:26.11,Default,,0000,0000,0000,,often directed against the running\Napplication in order to disrupt the VPN
Dialogue: 0,0:11:26.11,0:11:33.11,Default,,0000,0000,0000,,connection. Overflow vulnerabilities or\Nversion downgrades
Dialogue: 0,0:11:33.11,0:11:37.92,Default,,0000,0000,0000,,These results gave us a little insight\Nabout the flaws of the past.
Dialogue: 0,0:11:37.92,0:11:43.28,Default,,0000,0000,0000,,Matthias: So before we will pass over to\Nthe reversing parts, we want to give you a
Dialogue: 0,0:11:43.28,0:11:50.54,Default,,0000,0000,0000,,quick experience report regarding Cisco's\Nlicensing support. Cisco ASA is a typical
Dialogue: 0,0:11:50.54,0:11:55.59,Default,,0000,0000,0000,,server endpoint for Cisco AnyConnect,\Nwhich is available as hardware appliance
Dialogue: 0,0:11:55.59,0:12:03.43,Default,,0000,0000,0000,,and also as a virtual version running on,\Nfor example, VMware. At the beginning of
Dialogue: 0,0:12:03.43,0:12:08.09,Default,,0000,0000,0000,,our research, we tried to obtain an\Nofficial evaluation license for Cisco
Dialogue: 0,0:12:08.09,0:12:14.27,Default,,0000,0000,0000,,ASAv, while never hiding the purpose of\Nwanting to use it for security research.
Dialogue: 0,0:12:14.27,0:12:21.29,Default,,0000,0000,0000,,Therefore our naive approach was to just\Nwrite the Cisco licensing support. It was
Dialogue: 0,0:12:21.29,0:12:25.88,Default,,0000,0000,0000,,more or less like: Hi, we are doing\Nsecurity research on the Cisco AnyConnect
Dialogue: 0,0:12:25.88,0:12:32.13,Default,,0000,0000,0000,,clients. Could you offer us free evalution\Nlicenses for Cisco ASAv? Cisco replied:
Dialogue: 0,0:12:32.13,0:12:38.22,Default,,0000,0000,0000,,Sure. Please let me know the amount of\Nlicenses that you need. At that point, we
Dialogue: 0,0:12:38.22,0:12:43.29,Default,,0000,0000,0000,,were a bit surprised because it just\Nseemed a bit too easy. But then we had
Dialogue: 0,0:12:43.29,0:12:50.17,Default,,0000,0000,0000,,three 60-day licenses added to our\Naccount. But as soon as we tried to
Dialogue: 0,0:12:50.17,0:12:55.94,Default,,0000,0000,0000,,download the ASAv image for VirtualBox, we\Ngot this error. Maybe some kind of error
Dialogue: 0,0:12:55.94,0:13:00.93,Default,,0000,0000,0000,,on the license was not applied correctly,\Nbecause if you have the license for
Dialogue: 0,0:13:00.93,0:13:06.21,Default,,0000,0000,0000,,products, you can of course download it,\Nright? Um yeah, but it seemed that our
Dialogue: 0,0:13:06.21,0:13:11.09,Default,,0000,0000,0000,,approach was a little bit naive and we\Nunderrated the complexity of enterprise
Dialogue: 0,0:13:11.09,0:13:20.94,Default,,0000,0000,0000,,software licensing. So it was a bit\Nunsatisfying. But we had an idea. We asked
Dialogue: 0,0:13:20.94,0:13:26.12,Default,,0000,0000,0000,,the data center of our university for help\Nas university was using Cisco AnyConnect
Dialogue: 0,0:13:26.12,0:13:32.83,Default,,0000,0000,0000,,too. But we never got any response. We\Nstill had some options, but at some point
Dialogue: 0,0:13:32.83,0:13:38.54,Default,,0000,0000,0000,,we just gave up.\NG: As there is no proper documentation for
Dialogue: 0,0:13:38.54,0:13:44.23,Default,,0000,0000,0000,,AnyConnect yet, it was initially necessary\Nto understand the application and to
Dialogue: 0,0:13:44.23,0:13:49.69,Default,,0000,0000,0000,,filter out its central components.\NTherefore, we had no choice but to reverse
Dialogue: 0,0:13:49.69,0:13:58.65,Default,,0000,0000,0000,,engineer the application. We analyzed the\Napplication files and network traffic.
Dialogue: 0,0:13:58.65,0:14:03.98,Default,,0000,0000,0000,,In order to better understand the applica-\Ntion we used standard tools like Ghidra
Dialogue: 0,0:14:03.98,0:14:09.56,Default,,0000,0000,0000,,for static code analysis. The Ghidra is\Nable to decompile the source code of the
Dialogue: 0,0:14:09.56,0:14:15.90,Default,,0000,0000,0000,,compiled binary or library. For dynamic\Napplication analysis we used tools like
Dialogue: 0,0:14:15.90,0:14:22.74,Default,,0000,0000,0000,,Frida, Burp and Wireshark. Frida can be\Nused to attach to running processes and to
Dialogue: 0,0:14:22.74,0:14:28.47,Default,,0000,0000,0000,,understand the program flow. Burp was used\Nas a proxy to view and modify https
Dialogue: 0,0:14:28.47,0:14:35.90,Default,,0000,0000,0000,,messages, and Wireshark is used to capture\Nand decrypt message traffic. Let's take a
Dialogue: 0,0:14:35.90,0:14:41.39,Default,,0000,0000,0000,,closer look at the binaries of all the\Nfiles first. AnyConnect comes with a large
Dialogue: 0,0:14:41.39,0:14:45.89,Default,,0000,0000,0000,,number of binaries. While reversing we\Ncould identify three central parts of the
Dialogue: 0,0:14:45.89,0:14:52.16,Default,,0000,0000,0000,,application: vpnui is a binary a user\Ninteracts with. It offers the graphical
Dialogue: 0,0:14:52.16,0:14:58.57,Default,,0000,0000,0000,,user interface, where the user can make\Nsimple settings or initiate a VPN
Dialogue: 0,0:14:58.57,0:15:05.34,Default,,0000,0000,0000,,connection. The second binary is\Nvpnagentd. It runs as a daemon in the
Dialogue: 0,0:15:05.34,0:15:11.67,Default,,0000,0000,0000,,background at all times, even when no VPN\Nconnection is open. The special thing
Dialogue: 0,0:15:11.67,0:15:17.68,Default,,0000,0000,0000,,about vpnagentd is that it runs as a root\Nprocess and always listens on a static
Dialogue: 0,0:15:17.68,0:15:25.13,Default,,0000,0000,0000,,port. Its purpose is to set up the VPN\Ntunnel and the network configuration of
Dialogue: 0,0:15:25.13,0:15:32.90,Default,,0000,0000,0000,,the host system. This includes setting up\Nroutes or DNS servers. The third and last
Dialogue: 0,0:15:32.90,0:15:38.04,Default,,0000,0000,0000,,binary is the vpndownloader. As the name\Nhints, the purpose of the binary is to
Dialogue: 0,0:15:38.04,0:15:43.57,Default,,0000,0000,0000,,download additional files when\Nestablishing a VPN connection. This
Dialogue: 0,0:15:43.57,0:15:51.02,Default,,0000,0000,0000,,includes VPN profiles, help files and\Nscripts. The binary exchanges data with
Dialogue: 0,0:15:51.02,0:15:59.82,Default,,0000,0000,0000,,each other via inter-process communication\Nor short IPC. The IPC takes place via TCP
Dialogue: 0,0:15:59.82,0:16:05.84,Default,,0000,0000,0000,,sockets. The binary data format for - that\NCisco has defined is used to exchange the
Dialogue: 0,0:16:05.84,0:16:15.67,Default,,0000,0000,0000,,messages on the TCP sockets. In addition\Nto the binaries, AnyConnect also contains
Dialogue: 0,0:16:15.67,0:16:20.96,Default,,0000,0000,0000,,numerous libraries. Many of them are ports\Nof existing open source libraries like
Dialogue: 0,0:16:20.96,0:16:29.62,Default,,0000,0000,0000,,OpenSSL. The most important libraries are\Nshown on this slide: libvpnapi.so contains
Dialogue: 0,0:16:29.62,0:16:35.67,Default,,0000,0000,0000,,interfaces and functions for the backend\Nlogic of user interfaces. The goal of the
Dialogue: 0,0:16:35.67,0:16:41.09,Default,,0000,0000,0000,,library is that it com - that companies\Ncan create their own VPN applications
Dialogue: 0,0:16:41.09,0:16:47.24,Default,,0000,0000,0000,,using the AnyConnect infrastructure. It is\Nthe only library for which documentation
Dialogue: 0,0:16:47.24,0:16:54.42,Default,,0000,0000,0000,,is actually provided by Cisco.\NLibvpncommoncrypt serves as a wrapper for
Dialogue: 0,0:16:54.42,0:17:01.43,Default,,0000,0000,0000,,OpenSSL and NSS libraries. NSS is similar\Nto OpenSSL and is used by browsers like
Dialogue: 0,0:17:01.43,0:17:07.86,Default,,0000,0000,0000,,Mozilla Firefox to enable SSL and TLS\Nconnections. It also provides its own
Dialogue: 0,0:17:07.86,0:17:16.71,Default,,0000,0000,0000,,certificate store. Libvpncommon is another\Ncentral library used by all binaries. It
Dialogue: 0,0:17:16.71,0:17:23.19,Default,,0000,0000,0000,,provides classes and functions for the IPC\Nlogic. It can be used to create, send or
Dialogue: 0,0:17:23.19,0:17:30.29,Default,,0000,0000,0000,,validate lPC messages. The next library,\Nlibvpnagentutilities, contains classes and
Dialogue: 0,0:17:30.29,0:17:36.70,Default,,0000,0000,0000,,functions that handle critical operations,\Nsuch as host network settings. This
Dialogue: 0,0:17:36.70,0:17:45.15,Default,,0000,0000,0000,,library is only used by vpnagentd. Besides\Nthe binaries and libraries there are a
Dialogue: 0,0:17:45.15,0:17:51.72,Default,,0000,0000,0000,,variety of other relevant files that we\Nhave taken a closer look at. AnyConnect
Dialogue: 0,0:17:51.72,0:17:59.42,Default,,0000,0000,0000,,offers an AnyConnect local policy XML\Nfile. This file regulates various security
Dialogue: 0,0:17:59.42,0:18:04.42,Default,,0000,0000,0000,,configurations. For instance, it can be\Nused to specify that no further files may
Dialogue: 0,0:18:04.42,0:18:11.74,Default,,0000,0000,0000,,be downloaded or that version updates may\Nbe carried out by a VPN server. In its
Dialogue: 0,0:18:11.74,0:18:15.84,Default,,0000,0000,0000,,default configuration it is very\Npermissive so that almost everything is
Dialogue: 0,0:18:15.84,0:18:20.91,Default,,0000,0000,0000,,allowed. The file is not overwritten by\Nupdates and cannot be modified by VPN
Dialogue: 0,0:18:20.91,0:18:30.83,Default,,0000,0000,0000,,servers. The VPN profile is also in XML\Nformat: it contains further settings. The
Dialogue: 0,0:18:30.83,0:18:36.96,Default,,0000,0000,0000,,green highlighted line shows an\NEnableScripting-tag with a boolean value
Dialogue: 0,0:18:36.96,0:18:43.82,Default,,0000,0000,0000,,of false. Indicating that scripts should\Nnot be executed by the host system.
Dialogue: 0,0:18:43.82,0:18:50.20,Default,,0000,0000,0000,,Profile files are distributed by a VPN\Nserver. And are overwritten the next time
Dialogue: 0,0:18:50.20,0:19:00.45,Default,,0000,0000,0000,,a user connects and changes them. The last\Nfile is VPNManifest.dat which has a binary
Dialogue: 0,0:19:00.45,0:19:05.94,Default,,0000,0000,0000,,data format that contains the version\Nnumber of AnyConnect. This file is used to
Dialogue: 0,0:19:05.94,0:19:11.80,Default,,0000,0000,0000,,check the installed version of AnyConnect\Nbefore an version update. In addition to
Dialogue: 0,0:19:11.80,0:19:19.29,Default,,0000,0000,0000,,all these files, the message traffic also\Nplays a central role. The establishment of
Dialogue: 0,0:19:19.29,0:19:24.87,Default,,0000,0000,0000,,a VPN connection is structured in three\Nphases. Phase one is the authentication.
Dialogue: 0,0:19:24.87,0:19:33.75,Default,,0000,0000,0000,,The user enters the IP or domain of a VPN\Nserver in vpnui. The target server is then
Dialogue: 0,0:19:33.75,0:19:41.49,Default,,0000,0000,0000,,sent via IPC message to vpnagentd. As a\Nresponse vpnui receives various system
Dialogue: 0,0:19:41.49,0:19:48.68,Default,,0000,0000,0000,,information back. This includes the\Noperating system or a whole study.
Dialogue: 0,0:19:48.68,0:19:53.79,Default,,0000,0000,0000,,Afterwards this information and the\Ncredentials are sent to the VPN server
Dialogue: 0,0:19:53.79,0:20:04.16,Default,,0000,0000,0000,,with HTTPS. The ASA returns server\Nparameters in a HTTPS response. Let's take
Dialogue: 0,0:20:04.16,0:20:10.15,Default,,0000,0000,0000,,a closer look at the request and the\Nresponse. On the left side, you can see
Dialogue: 0,0:20:10.15,0:20:15.84,Default,,0000,0000,0000,,the request. It is an ordinary post\Nrequest with an XML in which the
Dialogue: 0,0:20:15.84,0:20:22.22,Default,,0000,0000,0000,,credentials are transferred. The\Ncredentials are marked in green.
Dialogue: 0,0:20:22.22,0:20:28.13,Default,,0000,0000,0000,,On the right side we see the response. The\Nresponse contains the session token, which
Dialogue: 0,0:20:28.13,0:20:33.42,Default,,0000,0000,0000,,is also marked in green. In addition, the\Nresponse contains the URLs to all
Dialogue: 0,0:20:33.42,0:20:40.21,Default,,0000,0000,0000,,downloadable files and the hashes. The\Norange marked string is one of the
Dialogue: 0,0:20:40.21,0:20:47.58,Default,,0000,0000,0000,,downloadable files. The download phase is\Nthe second phase of the VPN connection set
Dialogue: 0,0:20:47.58,0:20:55.62,Default,,0000,0000,0000,,up. First vpnui executes the vpndownloader\Nbinary. Then the server parameters from
Dialogue: 0,0:20:55.62,0:21:03.14,Default,,0000,0000,0000,,the previous HTTPS response are\Ntransferred to the vpndownloader via IPC.
Dialogue: 0,0:21:03.14,0:21:09.62,Default,,0000,0000,0000,,The URLs are extracted from the IPC\Nmessage and when the files are downloaded
Dialogue: 0,0:21:09.62,0:21:18.31,Default,,0000,0000,0000,,to a temporary directory via HTTPS. The\Ndownloader process informs the vpnagentd
Dialogue: 0,0:21:18.31,0:21:24.32,Default,,0000,0000,0000,,via IPC to move the files to the\Napplication directory. In the third and
Dialogue: 0,0:21:24.32,0:21:31.01,Default,,0000,0000,0000,,final phase of VPN connection set up,\Nvpnui sends an IPC message to vpnagentd
Dialogue: 0,0:21:31.01,0:21:36.85,Default,,0000,0000,0000,,with the request to establish a VPN\Ntunnel. Subsequently, the exchange of
Dialogue: 0,0:21:36.85,0:21:44.14,Default,,0000,0000,0000,,tunnel parameters takes place via HTTPS.\NAfter the parameters have been set by
Dialogue: 0,0:21:44.14,0:21:50.64,Default,,0000,0000,0000,,vpnagentd the VPN session continues. Let's\Ntake a closer look at the tunnel
Dialogue: 0,0:21:50.64,0:21:57.97,Default,,0000,0000,0000,,parameters. On the left side, we can see\Nthe request. In the first line you can
Dialogue: 0,0:21:57.97,0:22:03.99,Default,,0000,0000,0000,,observe the HTTP connect method. Usually\Nthis method is used to proxies to forward
Dialogue: 0,0:22:03.99,0:22:10.08,Default,,0000,0000,0000,,the request to the target server. Within\Nthe request, the session token is
Dialogue: 0,0:22:10.08,0:22:15.53,Default,,0000,0000,0000,,specified in the cookie header. This is\Nthe same session token we received in the
Dialogue: 0,0:22:15.53,0:22:22.33,Default,,0000,0000,0000,,authentication phase. The different tunnel\Nparameters transmitted in separate HTTP
Dialogue: 0,0:22:22.33,0:22:30.16,Default,,0000,0000,0000,,headers. The part marked in red represents\Nthe local IP address of the host. On the
Dialogue: 0,0:22:30.16,0:22:35.66,Default,,0000,0000,0000,,right, you can see a response to the\Nrequest. For example, the X-CSTP-Address
Dialogue: 0,0:22:35.66,0:22:43.47,Default,,0000,0000,0000,,header contains the IP address that the\Nhost should apply on its tunnel interface.
Dialogue: 0,0:22:43.47,0:22:50.06,Default,,0000,0000,0000,,In the part marked in red we now also see\Nthe DNS server for the VPN
Dialogue: 0,0:22:50.06,0:22:56.09,Default,,0000,0000,0000,,connection. In addition, the address\Nranges that should be routed via the VPN
Dialogue: 0,0:22:56.09,0:23:04.40,Default,,0000,0000,0000,,server as specified in the X-CSTP-Split-\NInclude header. Now that we have a general
Dialogue: 0,0:23:04.40,0:23:09.57,Default,,0000,0000,0000,,understanding of the application, let's\Nmove on to the vulnerability research. We
Dialogue: 0,0:23:09.57,0:23:15.92,Default,,0000,0000,0000,,have performed an design analysis for\NAnyConnect in which we looked at the IPC
Dialogue: 0,0:23:15.92,0:23:21.73,Default,,0000,0000,0000,,messages in more detail. We need to define\Ncertain security assumptions and an
Dialogue: 0,0:23:21.73,0:23:26.40,Default,,0000,0000,0000,,attacker model before we search for\Nvulnerabilities. This slide shows several
Dialogue: 0,0:23:26.40,0:23:33.02,Default,,0000,0000,0000,,of our assumptions. Cryptographic\Nalgorithms within the application are
Dialogue: 0,0:23:33.02,0:23:39.46,Default,,0000,0000,0000,,considered secure and cannot be broken in\Nexponential time. An attacker cannot read
Dialogue: 0,0:23:39.46,0:23:44.68,Default,,0000,0000,0000,,or modify messages regardless of their\Nposition, and we assume that the VPN
Dialogue: 0,0:23:44.68,0:23:51.17,Default,,0000,0000,0000,,server does not pursue any malicious\Nintent and only sends valid messages that
Dialogue: 0,0:23:51.17,0:23:56.78,Default,,0000,0000,0000,,are protocol compliant. We assume a local\Nattacker who is already able to execute
Dialogue: 0,0:23:56.78,0:24:01.46,Default,,0000,0000,0000,,commands on the system and the attackers\Ngoal is to compromise the confidentiality,
Dialogue: 0,0:24:01.46,0:24:08.34,Default,,0000,0000,0000,,integrity and availability of the system\Nor application. Privilege escalation
Dialogue: 0,0:24:08.34,0:24:13.83,Default,,0000,0000,0000,,vulnerabilities are also covered since\Nthey allow an attacker to compromise these
Dialogue: 0,0:24:13.83,0:24:20.55,Default,,0000,0000,0000,,three security objectives. Cisco decided\Nto include an auto update feature in the
Dialogue: 0,0:24:20.55,0:24:27.93,Default,,0000,0000,0000,,application. AnyConnect is able to receive\NAnyConnect updates through a VPN server
Dialogue: 0,0:24:27.93,0:24:32.47,Default,,0000,0000,0000,,without any user interaction. In its\Ndefault configuration AnyConnect can be
Dialogue: 0,0:24:32.47,0:24:38.74,Default,,0000,0000,0000,,updated by a VPN server that offers a\Nnewer version. From a security
Dialogue: 0,0:24:38.74,0:24:44.95,Default,,0000,0000,0000,,researcher's perspective auto update\Nsounds promising, right? So let's take a
Dialogue: 0,0:24:44.95,0:24:49.51,Default,,0000,0000,0000,,closer look at the auto update feature.\NFirst, the vpndownloader downloads an
Dialogue: 0,0:24:49.51,0:24:57.01,Default,,0000,0000,0000,,executable installer and the shell script\Ncalled vpndownloader.sh. Then
Dialogue: 0,0:24:57.01,0:25:03.63,Default,,0000,0000,0000,,vpndownloader.sh is executed. The Shell\Nscript contains an archive and unpacks
Dialogue: 0,0:25:03.63,0:25:09.38,Default,,0000,0000,0000,,itself to extract a new version of the\Nvpndownloader. An IPC message is then sent
Dialogue: 0,0:25:09.38,0:25:15.74,Default,,0000,0000,0000,,to the vpnagentd asking it to start the\Ninstaller. The vpnagentd does not start
Dialogue: 0,0:25:15.74,0:25:21.43,Default,,0000,0000,0000,,the installer directly. Instead the\Nvpnagentd calls the vpndownloader with
Dialogue: 0,0:25:21.43,0:25:28.06,Default,,0000,0000,0000,,root privileges, which in turn calls the\Ninstaller. Before executing the installer
Dialogue: 0,0:25:28.06,0:25:35.10,Default,,0000,0000,0000,,vpndownloader verifies and validates it.\NWe got an idea: Is it possible to install
Dialogue: 0,0:25:35.10,0:25:40.91,Default,,0000,0000,0000,,an outdated version through forged IPC\Nmessages? As shown in the picture the
Dialogue: 0,0:25:40.91,0:25:47.78,Default,,0000,0000,0000,,attacker needs an old signed installer and\Nsends the IPC message to vpnagentd asking
Dialogue: 0,0:25:47.78,0:25:53.68,Default,,0000,0000,0000,,to execute the old installer. The\Nvpnagentd calls the vpndownloader as
Dialogue: 0,0:25:53.68,0:25:58.71,Default,,0000,0000,0000,,usual, which in turn calls the attacker's\Ninstaller. There is no check whether the
Dialogue: 0,0:25:58.71,0:26:05.29,Default,,0000,0000,0000,,installer is more recent than the\Ninstalled version. This makes the version
Dialogue: 0,0:26:05.29,0:26:10.72,Default,,0000,0000,0000,,downgrade therefore possible. The\Nadvantage of downgrading to an outdated
Dialogue: 0,0:26:10.72,0:26:15.65,Default,,0000,0000,0000,,version is that an attacker could force\Nthe installation of a version which
Dialogue: 0,0:26:15.65,0:26:21.18,Default,,0000,0000,0000,,suffers from security vulnerabilities and\Nthe attacker could then exploit these
Dialogue: 0,0:26:21.18,0:26:28.52,Default,,0000,0000,0000,,vulnerabilities. We reported the\Nvulnerability to Cisco's product incident
Dialogue: 0,0:26:28.52,0:26:34.02,Default,,0000,0000,0000,,response team and it was fixed at the end\Nof September. The vulnerability only
Dialogue: 0,0:26:34.02,0:26:42.39,Default,,0000,0000,0000,,received a CVSS score of 3.1 and was\Ntherefore rated with a low severity. The
Dialogue: 0,0:26:42.39,0:26:47.96,Default,,0000,0000,0000,,vulnerability was only exploitable in the\NLinux version. Windows and Mac versions
Dialogue: 0,0:26:47.96,0:26:54.60,Default,,0000,0000,0000,,were already secured against such an\Nattack. Another functionality we had - we
Dialogue: 0,0:26:54.60,0:26:59.72,Default,,0000,0000,0000,,have looked into is the deployment and\Nexecution of scripts. They call it "Bring
Dialogue: 0,0:26:59.72,0:27:05.73,Default,,0000,0000,0000,,your own script". This functionality is\Nintended to deploy very helpful scripts to
Dialogue: 0,0:27:05.73,0:27:11.35,Default,,0000,0000,0000,,staff computers. In order for a script to\Nbe executed, it must meet two criterias.
Dialogue: 0,0:27:11.35,0:27:16.88,Default,,0000,0000,0000,,First, it must be located in the script\Nfolder and begin with OnConnect or
Dialogue: 0,0:27:16.88,0:27:24.15,Default,,0000,0000,0000,,OnDisconnect as a file name. Second, the\NEnableScripting tag in profile which is
Dialogue: 0,0:27:24.15,0:27:31.76,Default,,0000,0000,0000,,sent by the server must be set to true.\NDepending on the file name, scripts are
Dialogue: 0,0:27:31.76,0:27:37.00,Default,,0000,0000,0000,,triggered after VPN connection is\Nestablished and terminated. As VPN server
Dialogue: 0,0:27:37.00,0:27:42.98,Default,,0000,0000,0000,,can distribute profiles in which the\Nexecution of scripts is enabled and also
Dialogue: 0,0:27:42.98,0:27:48.29,Default,,0000,0000,0000,,distributes the scripts: these two in\Ncombination allow VPN server to gain
Dialogue: 0,0:27:48.29,0:27:54.41,Default,,0000,0000,0000,,remote code execution on the connecting\Nclients. This functionality poses a major
Dialogue: 0,0:27:54.41,0:27:59.30,Default,,0000,0000,0000,,problem because humans often need to trust\Nthe university's VPN servers and have no
Dialogue: 0,0:27:59.30,0:28:05.54,Default,,0000,0000,0000,,other choice. But let's take a closer look\Nat the distribution of the scripts. Here
Dialogue: 0,0:28:05.54,0:28:11.85,Default,,0000,0000,0000,,we see the classic procedure of a script\Ndistribution. In the download phase,
Dialogue: 0,0:28:11.85,0:28:19.17,Default,,0000,0000,0000,,vpndownloader downloads an OnConnect or an\NOnDisconnect script. Then vpndownloader
Dialogue: 0,0:28:19.17,0:28:25.42,Default,,0000,0000,0000,,asks with IPC message to move the\Ndownloaded script to the script folder.
Dialogue: 0,0:28:25.42,0:28:32.57,Default,,0000,0000,0000,,The vpnagentd process calls the\Nvpndownloader, which then moves the file.
Dialogue: 0,0:28:32.57,0:28:36.67,Default,,0000,0000,0000,,We systematically examined the IPC\Nmessages and found a vertical privilege
Dialogue: 0,0:28:36.67,0:28:43.10,Default,,0000,0000,0000,,escalation. An attacker is able to send\Nthe same message to the vpnagentd process.
Dialogue: 0,0:28:43.10,0:28:48.35,Default,,0000,0000,0000,,Any of the attacker's scripts can be moved\Ninto the script directory. If there is
Dialogue: 0,0:28:48.35,0:28:52.97,Default,,0000,0000,0000,,already a script in the script folder, it\Nis simply overwritten. If the attacker
Dialogue: 0,0:28:52.97,0:28:58.62,Default,,0000,0000,0000,,moves On, an OnDisconnect script while\Nthe user is already - has a VPN connection
Dialogue: 0,0:28:58.62,0:29:04.61,Default,,0000,0000,0000,,open, the script is executed with user\Nprivileges. When the VPN connection is
Dialogue: 0,0:29:04.61,0:29:13.22,Default,,0000,0000,0000,,closed, first unprivileged user can obtain\Ncode execution context of another user.
Dialogue: 0,0:29:13.22,0:29:18.45,Default,,0000,0000,0000,,What bothered us about our attack was that\Nit is - was tied to conditions. One of the
Dialogue: 0,0:29:18.45,0:29:24.04,Default,,0000,0000,0000,,conditions was that the EnableScripting\Ntag must have the boolean value "True". We
Dialogue: 0,0:29:24.04,0:29:29.02,Default,,0000,0000,0000,,considered other attack scenarios and came\Nup with the idea of distributing a profile
Dialogue: 0,0:29:29.02,0:29:34.62,Default,,0000,0000,0000,,ourselves. So we check for the tag again,\Nbut create not only a script, but also a
Dialogue: 0,0:29:34.62,0:29:41.21,Default,,0000,0000,0000,,VPN profile that allows scripting. The\Nattack works as follows: while a local
Dialogue: 0,0:29:41.21,0:29:45.58,Default,,0000,0000,0000,,user has a VPN session active, another\Nuser on the system creates a malicious
Dialogue: 0,0:29:45.58,0:29:50.54,Default,,0000,0000,0000,,script and a new profile. The new profile\Ncontains the EnableScripting tag set to
Dialogue: 0,0:29:50.54,0:29:57.06,Default,,0000,0000,0000,,"True". The attacker then sends an IPC\Nmessage to the vpnagentd requesting to
Dialogue: 0,0:29:57.06,0:30:03.03,Default,,0000,0000,0000,,copy the script to the script directory.\NThe vpndownloader is then started with
Dialogue: 0,0:30:03.03,0:30:10.99,Default,,0000,0000,0000,,root permissions to perform the copy\Noperation. Also, the attacker can send an
Dialogue: 0,0:30:10.99,0:30:17.04,Default,,0000,0000,0000,,additional IPC message to vpnagentd\Nrequesting to overwrite the
Dialogue: 0,0:30:17.04,0:30:24.81,Default,,0000,0000,0000,,existing profile with a malicious profile.\NAlthough the profile is overwritten the
Dialogue: 0,0:30:24.81,0:30:29.11,Default,,0000,0000,0000,,settings of a new profile are not applied\Nyet, because the old profile is still
Dialogue: 0,0:30:29.11,0:30:34.95,Default,,0000,0000,0000,,active. However, we were able to determine\Nthat the new profile is loaded when
Dialogue: 0,0:30:34.95,0:30:41.50,Default,,0000,0000,0000,,there's a reconnect on the VPN session.\NReconnects are actually quite common in
Dialogue: 0,0:30:41.50,0:30:46.33,Default,,0000,0000,0000,,the AnyConnect. If reconnect happens the\Nnew profile is loaded and applied. In our
Dialogue: 0,0:30:46.33,0:30:51.23,Default,,0000,0000,0000,,case, it enables the scripting feature.\NAfter teardown of a VPN connection the
Dialogue: 0,0:30:51.23,0:30:56.49,Default,,0000,0000,0000,,malicious OnDisconnect script of the\Nattacker is executed with the privileges
Dialogue: 0,0:30:56.49,0:31:03.01,Default,,0000,0000,0000,,of the user running the VPN client. Both\Nproblems were reported to Cisco, but could
Dialogue: 0,0:31:03.01,0:31:07.58,Default,,0000,0000,0000,,not be fixed by the disclosure date.\NAlthough we extended the disclosure
Dialogue: 0,0:31:07.58,0:31:12.02,Default,,0000,0000,0000,,deadline. As of today the vulnerability is\Nstill present with the default
Dialogue: 0,0:31:12.02,0:31:18.03,Default,,0000,0000,0000,,configuration of AnyConnect. Cisco\Npublished this vulnerability with a CVSS
Dialogue: 0,0:31:18.03,0:31:25.91,Default,,0000,0000,0000,,of 7-1, 7.1, which is considered as a high\Nseverity. Because it was published on the
Dialogue: 0,0:31:25.91,0:31:32.34,Default,,0000,0000,0000,,4th of November 2020 without a fix, the\Nvulnerability got major attention in many
Dialogue: 0,0:31:32.34,0:31:42.41,Default,,0000,0000,0000,,news sites. Various sites reported the\Nvulnerability. The quality of reports
Dialogue: 0,0:31:42.41,0:31:47.41,Default,,0000,0000,0000,,varied. Some of the articles contained\Nincorrect information, for example, it was
Dialogue: 0,0:31:47.41,0:31:52.82,Default,,0000,0000,0000,,stated that an exploit was already in\Ncirculation. It is not accurate since we
Dialogue: 0,0:31:52.82,0:31:57.99,Default,,0000,0000,0000,,are the only ones who have a working\Nexploit and have not published it yet. We
Dialogue: 0,0:31:57.99,0:32:03.19,Default,,0000,0000,0000,,could not find any other exploit on the\NInternet either. I think that the way of
Dialogue: 0,0:32:03.19,0:32:09.54,Default,,0000,0000,0000,,reporting - this way of reporting has to\Nbe reconsidered because it has caused a so
Dialogue: 0,0:32:09.54,0:32:15.45,Default,,0000,0000,0000,,wrong assessment of vulnerability. We were\Neven contacted by some incident response
Dialogue: 0,0:32:15.45,0:32:21.37,Default,,0000,0000,0000,,teams that were worried about their\Ninfrastructure. All vulnerabilities found
Dialogue: 0,0:32:21.37,0:32:25.13,Default,,0000,0000,0000,,and reported are listed in the table\Nbelow. The three vulnerabilities were
Dialogue: 0,0:32:25.13,0:32:30.35,Default,,0000,0000,0000,,found by design analysis. Only one of the\Nvulnerabilities is fixed, according to
Dialogue: 0,0:32:30.35,0:32:37.98,Default,,0000,0000,0000,,Cisco. Especially the Bring Your Own\NScript vulnerabilities have already been
Dialogue: 0,0:32:37.98,0:32:42.76,Default,,0000,0000,0000,,published, although no fix is available\Nfor them, a workaround has been declared
Dialogue: 0,0:32:42.76,0:32:49.86,Default,,0000,0000,0000,,to fix the vulnerabilities. By modifying\Nthe local policy file the download phase
Dialogue: 0,0:32:49.86,0:32:54.45,Default,,0000,0000,0000,,can be skipped completely. Since the\Nlatest update it's also possible to
Dialogue: 0,0:32:54.45,0:32:59.68,Default,,0000,0000,0000,,prohibit the download and deployment of\Nscripts on a modular basis.
Dialogue: 0,0:32:59.68,0:33:05.31,Default,,0000,0000,0000,,M: And what about mobile platforms? Do our\Ndiscovered vulnerabilities also apply
Dialogue: 0,0:33:05.31,0:33:11.72,Default,,0000,0000,0000,,here? Let's make it quick. No. Mobile\Nplatforms are lacking many features
Dialogue: 0,0:33:11.72,0:33:15.74,Default,,0000,0000,0000,,compared to the Linux, Windows and macOS\Nversions. You're, of course, able to
Dialogue: 0,0:33:15.74,0:33:20.73,Default,,0000,0000,0000,,establish TLS and IPsec connections, just\Nlike with all the other clients. But
Dialogue: 0,0:33:20.73,0:33:24.65,Default,,0000,0000,0000,,because features like the deployment of\Ncustom scripts or auto update is missing,
Dialogue: 0,0:33:24.65,0:33:30.01,Default,,0000,0000,0000,,there's no way of using these exploits on\Nmobile platforms. We are currently having
Dialogue: 0,0:33:30.01,0:33:35.00,Default,,0000,0000,0000,,a look into the iOS implementation of\NAnyConnect and therefore want to give you
Dialogue: 0,0:33:35.00,0:33:41.43,Default,,0000,0000,0000,,a quick and high level overview into the\Narchitecture. As we are dealing with Apple
Dialogue: 0,0:33:41.43,0:33:45.57,Default,,0000,0000,0000,,here, serious stuff like the\Nimplementation of the VPN is a bit
Dialogue: 0,0:33:45.57,0:33:51.93,Default,,0000,0000,0000,,different compared to, for example, the\NLinux client. If you want to mess with
Dialogue: 0,0:33:51.93,0:33:56.40,Default,,0000,0000,0000,,notifications, add sharing buttons or\Ncreate a widget on the homescreen, you
Dialogue: 0,0:33:56.40,0:34:01.74,Default,,0000,0000,0000,,have to use an app extension. Equally for\NVPN functionality, you have to use the
Dialogue: 0,0:34:01.74,0:34:08.43,Default,,0000,0000,0000,,network extension framework. The network\Nextensions contain providers and features
Dialogue: 0,0:34:08.43,0:34:14.10,Default,,0000,0000,0000,,for all kind of network related operations\Nlike for content filtering, DNS, Wi-Fi and
Dialogue: 0,0:34:14.10,0:34:18.94,Default,,0000,0000,0000,,more. If you want to build your own VPN\Napp, you have to choose between the
Dialogue: 0,0:34:18.94,0:34:25.84,Default,,0000,0000,0000,,Personal VPN, the Packet Tunnel Provider\Nand the App Proxy Provider. In our case
Dialogue: 0,0:34:25.84,0:34:30.08,Default,,0000,0000,0000,,the AnyConnect on iOS implements the\NPacket Tunnel Provider as they are using
Dialogue: 0,0:34:30.08,0:34:38.28,Default,,0000,0000,0000,,their own packet oriented protocol. Here\Nyou can see the contents of the AnyConnect
Dialogue: 0,0:34:38.28,0:34:43.47,Default,,0000,0000,0000,,app package, which is basically a zip file\Ncontaining all the executables and other
Dialogue: 0,0:34:43.47,0:34:49.82,Default,,0000,0000,0000,,assets like images, etc.. The main\Nexecutable is just called AnyConnect. The
Dialogue: 0,0:34:49.82,0:34:56.21,Default,,0000,0000,0000,,network extension is implemented in the\NACExtension binary. Beside these, there
Dialogue: 0,0:34:56.21,0:35:01.80,Default,,0000,0000,0000,,are also several other app extension\Nimplementations for the iOS sharing and
Dialogue: 0,0:35:01.80,0:35:08.91,Default,,0000,0000,0000,,Siri functionality. So what happens if you\Npressed the connect slider? After you hit
Dialogue: 0,0:35:08.91,0:35:13.33,Default,,0000,0000,0000,,the slider, the network extension is\Nstarted and negotiation of the VPN session
Dialogue: 0,0:35:13.33,0:35:19.06,Default,,0000,0000,0000,,begins. After a section of network\Ninformation like IP addresses, subnet
Dialogue: 0,0:35:19.06,0:35:23.13,Default,,0000,0000,0000,,mask, routes, DNS, MTU and more they are\Npassed to the iOS system to complete the
Dialogue: 0,0:35:23.13,0:35:29.39,Default,,0000,0000,0000,,negotiation. In the end, you have a new\Nand hopefully functional tunnel interface
Dialogue: 0,0:35:29.39,0:35:36.93,Default,,0000,0000,0000,,called utun. So new traffic from apps pass\Nthrough the network stack until it arrives
Dialogue: 0,0:35:36.93,0:35:41.62,Default,,0000,0000,0000,,at the tunnel interface. It can then be\Nhandled by the network extensions' Packet
Dialogue: 0,0:35:41.62,0:35:48.27,Default,,0000,0000,0000,,Tunnel Provider. Every time a packet\Narrives on a tunnel interface, it is read
Dialogue: 0,0:35:48.27,0:35:54.19,Default,,0000,0000,0000,,by the network extension and encapsulated\Nwith the tunneling protocol. Every time a
Dialogue: 0,0:35:54.19,0:35:59.02,Default,,0000,0000,0000,,packet arrives on the tunnel interface, it\Nis read by the network extension and
Dialogue: 0,0:35:59.02,0:36:04.66,Default,,0000,0000,0000,,encapsulated with the tunneling protocol.\NUpon arrival on the VPN server, the packet
Dialogue: 0,0:36:04.66,0:36:10.15,Default,,0000,0000,0000,,is decapsulated and sent to its final\Ndestination. Similar the replies then
Dialogue: 0,0:36:10.15,0:36:14.69,Default,,0000,0000,0000,,encapsulate sent to the client, which then\Ndecapsulates the packet and injects it
Dialogue: 0,0:36:14.69,0:36:20.50,Default,,0000,0000,0000,,back to the network stack. So that's\Nshould be it for the iOS clients, just to
Dialogue: 0,0:36:20.50,0:36:23.83,Default,,0000,0000,0000,,give you a quick overview and highlight\Nsome key differences between the
Dialogue: 0,0:36:23.83,0:36:30.93,Default,,0000,0000,0000,,architectures. We are still investigating\Nboth Linux and iOS platforms, but until
Dialogue: 0,0:36:30.93,0:36:35.70,Default,,0000,0000,0000,,now, we can summarize our findings as\Nfollows: AnyConnect in general is a huge
Dialogue: 0,0:36:35.70,0:36:42.53,Default,,0000,0000,0000,,application with lots of code and also\Nlots of unused library related code. We
Dialogue: 0,0:36:42.53,0:36:48.51,Default,,0000,0000,0000,,discovered three vulnerabilities through\Ndesign analysis. Vpnagentd runs with root
Dialogue: 0,0:36:48.51,0:36:53.53,Default,,0000,0000,0000,,permissions and receives commands or\Noperations from unprivileged processes via
Dialogue: 0,0:36:53.53,0:36:59.55,Default,,0000,0000,0000,,unauthenticated IPC messages, which is\Ngenerally a bit risky. Not all security
Dialogue: 0,0:36:59.55,0:37:03.100,Default,,0000,0000,0000,,mechanisms and patches are actually\Nincluded on all platforms. For example,
Dialogue: 0,0:37:03.100,0:37:08.62,Default,,0000,0000,0000,,the downgrade was only possible on Linux\Nand already patched on Windows and macOS
Dialogue: 0,0:37:08.62,0:37:14.37,Default,,0000,0000,0000,,according to Cisco. The downgrade\Nvulnerability is not possible on mobile,
Dialogue: 0,0:37:14.37,0:37:19.43,Default,,0000,0000,0000,,as auto update feature is limited to\NLinux, Windows and macOS. Similar, the
Dialogue: 0,0:37:19.43,0:37:24.12,Default,,0000,0000,0000,,Bring Your Own Script does also not apply\Nin mobile, as deployment of OnConnect and
Dialogue: 0,0:37:24.12,0:37:29.18,Default,,0000,0000,0000,,OnDisconnect script is also limited to\NLinux, Windows and macOS. Regarding the
Dialogue: 0,0:37:29.18,0:37:34.01,Default,,0000,0000,0000,,local policy file on Linux, our idea would\Nbe to make it as restrictive as possible
Dialogue: 0,0:37:34.01,0:37:39.22,Default,,0000,0000,0000,,and require some kind of opt-in for\Nscripting functionality. As this would
Dialogue: 0,0:37:39.22,0:37:44.14,Default,,0000,0000,0000,,prevent many attacks but of course, it\Nwould also impact the usability a bit.
Dialogue: 0,0:37:44.14,0:37:48.78,Default,,0000,0000,0000,,Despite the app being available since many\Nyears, we show that there are still many
Dialogue: 0,0:37:48.78,0:37:54.28,Default,,0000,0000,0000,,bugs to find. The introduction of bug\Nbounties would be a great option to
Dialogue: 0,0:37:54.28,0:38:00.86,Default,,0000,0000,0000,,motivate more security researchers to\Ncheck the application for vulnerabilities.
Dialogue: 0,0:38:00.86,0:38:06.80,Default,,0000,0000,0000,,The use of VPN promises security and\Nprivacy for users, however closed source
Dialogue: 0,0:38:06.80,0:38:11.05,Default,,0000,0000,0000,,software opens new attack vectors on a\Nsystem as our research on AnyConnect
Dialogue: 0,0:38:11.05,0:38:16.56,Default,,0000,0000,0000,,shows. We hope that more research will be\Ndone on clients in the future and that our
Dialogue: 0,0:38:16.56,0:38:24.46,Default,,0000,0000,0000,,work will pave the way for this. So that\Nwas it. Thank you very much for your
Dialogue: 0,0:38:24.46,0:38:29.61,Default,,0000,0000,0000,,attention and if you have any questions,\Nfeel free to ask.
Dialogue: 0,0:38:30.70,0:38:35.60,Default,,0000,0000,0000,,H: Well, welcome back. So that was the\Npre-recording of the super interesting
Dialogue: 0,0:38:35.60,0:38:41.24,Default,,0000,0000,0000,,talk about Very Pwnable Networks. I'm sure\Nyou've seen how pwnable they really are
Dialogue: 0,0:38:41.24,0:38:48.63,Default,,0000,0000,0000,,and luckily, we now have Jiska and Gerbert\Nand Matthias with us today through the
Dialogue: 0,0:38:48.63,0:38:56.50,Default,,0000,0000,0000,,magic of the Internet. And if you haven't\Nwritten out your question yet, please do
Dialogue: 0,0:38:56.50,0:39:05.87,Default,,0000,0000,0000,,so now so we can still answer them. Either\Nby going to the IRC channel rc3-cwtv on
Dialogue: 0,0:39:05.87,0:39:12.22,Default,,0000,0000,0000,,the hackened network or just posting a\Ntweet or a toot with your favorite social
Dialogue: 0,0:39:12.22,0:39:19.49,Default,,0000,0000,0000,,media network of choice containing the\Nhashtag #rc3cwtv this time without any
Dialogue: 0,0:39:19.49,0:39:27.63,Default,,0000,0000,0000,,dash, very important. So our Signal Angel\Nhas collected some questions for us that I
Dialogue: 0,0:39:27.63,0:39:33.28,Default,,0000,0000,0000,,am now going to be torturing the three\Npeople here with. So let's see what you
Dialogue: 0,0:39:33.28,0:39:41.80,Default,,0000,0000,0000,,will say to those. Oh, but I think pretty,\Npretty tame, huh? So first question: is
Dialogue: 0,0:39:41.80,0:39:45.84,Default,,0000,0000,0000,,there any page or wiki where this\Ninformation can be found?
Dialogue: 0,0:39:45.84,0:39:53.15,Default,,0000,0000,0000,,G: At the moment, it is not published yet.\NI think we will publish - publish it in
Dialogue: 0,0:39:53.15,0:39:58.95,Default,,0000,0000,0000,,near future on the GitHub or some similar\Nplatform.
Dialogue: 0,0:39:58.95,0:40:02.94,Default,,0000,0000,0000,,H: Is there any way that people can find\Nthis link then when you eventually will
Dialogue: 0,0:40:02.94,0:40:07.63,Default,,0000,0000,0000,,publish it in the future?\NG: I think Jiska can say something to this
Dialogue: 0,0:40:07.63,0:40:10.58,Default,,0000,0000,0000,,J: Yeah so SEEMOO has a GitHub page and
Dialogue: 0,0:40:10.58,0:40:16.25,Default,,0000,0000,0000,,also a Twitter account, so it will be\Npublished. But I mean, there's still a few
Dialogue: 0,0:40:16.25,0:40:21.68,Default,,0000,0000,0000,,things that we didn't like - that are not\Npublic yet. So yeah, and then we would
Dialogue: 0,0:40:21.68,0:40:27.42,Default,,0000,0000,0000,,just make one release not like this CVE\Nand that CVE, but like all at once.
Dialogue: 0,0:40:27.42,0:40:31.52,Default,,0000,0000,0000,,H: Yeah. Make - makes more of an impact\Nthis way and also better, better
Dialogue: 0,0:40:31.52,0:40:38.16,Default,,0000,0000,0000,,disclosure. I like that. And the next\Nquestion is: will this VPN event only be
Dialogue: 0,0:40:38.16,0:40:46.42,Default,,0000,0000,0000,,about Cisco? So yes, you've only looked at\NCisco, right? In this case. Um, maybe you
Dialogue: 0,0:40:46.42,0:40:50.73,Default,,0000,0000,0000,,can tell us something if maybe you have\Nlooked at other VPN vendors as to
Dialogue: 0,0:40:50.73,0:40:55.59,Default,,0000,0000,0000,,something that other VPN vendors might\Nhave an issue with as well? Maybe.
Dialogue: 0,0:40:55.59,0:41:01.67,Default,,0000,0000,0000,,M: Yeah, we've done this research as part\Nof a master's thesis, and therefore it's
Dialogue: 0,0:41:01.67,0:41:10.06,Default,,0000,0000,0000,,only about Cisco AnyConnect and yeah, we\Ndid not have the time to - or yeah. Yeah.
Dialogue: 0,0:41:10.06,0:41:14.41,Default,,0000,0000,0000,,To look at other VPN services, just for\Nthe AnyConnect.
Dialogue: 0,0:41:14.41,0:41:19.63,Default,,0000,0000,0000,,H: Yeah, the typical Master's view writing\Nit hyped up on coffee for the last few
Dialogue: 0,0:41:19.63,0:41:25.19,Default,,0000,0000,0000,,weeks before the deadline. Yeah, I can\Nimagine that you focused on Cisco there.
Dialogue: 0,0:41:25.19,0:41:30.63,Default,,0000,0000,0000,,Uum, another very good question: Are these\Nvulnerabilities also present in other - in
Dialogue: 0,0:41:30.63,0:41:35.04,Default,,0000,0000,0000,,other AnyConnect-like clients like the\Nones integrated into NetworkManager in
Dialogue: 0,0:41:35.04,0:41:40.31,Default,,0000,0000,0000,,Linux? I think they're talking especially\Nabout OpenConnect. Yeah, that's just
Dialogue: 0,0:41:40.31,0:41:45.75,Default,,0000,0000,0000,,coming in. Umm, we talked about this\Nbefore a little bit so you probably have
Dialogue: 0,0:41:45.75,0:41:50.21,Default,,0000,0000,0000,,something to say about that.\NG: As far as we know there's - in
Dialogue: 0,0:41:50.21,0:41:56.100,Default,,0000,0000,0000,,OpenConnect there is no scripting -\Nscripting feature enabled or integrated.
Dialogue: 0,0:41:56.100,0:42:03.63,Default,,0000,0000,0000,,So we would say this kind of attacks are\Nnot yet possible, but uh -
Dialogue: 0,0:42:03.63,0:42:10.56,Default,,0000,0000,0000,,M: That would be possible if someone is\Nable to check this and, yeah, have a look
Dialogue: 0,0:42:10.56,0:42:15.68,Default,,0000,0000,0000,,into OpenConnect too, yeah.\NH: Hmm, yeah, not yet known to be
Dialogue: 0,0:42:15.68,0:42:24.06,Default,,0000,0000,0000,,possible. Let's - let's say it like that.\NYou never know. Any other questions from
Dialogue: 0,0:42:24.06,0:42:31.44,Default,,0000,0000,0000,,chat, from Twitter or Mastodon? Now's the\Ntime. Give out your questions. Otherwise,
Dialogue: 0,0:42:31.44,0:42:40.48,Default,,0000,0000,0000,,this would have been a very short Q&amp;A. So\Nif you go to the rc3-cwtv channel on the
Dialogue: 0,0:42:40.48,0:42:49.32,Default,,0000,0000,0000,,hackened IRC network or post a tweet or a\Ntoot with the hashtag #rc3cwtv this time
Dialogue: 0,0:42:49.32,0:42:56.15,Default,,0000,0000,0000,,without any dash. Umm, do it now, and\Nhopefully I will still catch this
Dialogue: 0,0:42:56.15,0:43:00.89,Default,,0000,0000,0000,,through the magic of the Signal Angel that\Nis collecting all this information for me.
Dialogue: 0,0:43:00.89,0:43:05.55,Default,,0000,0000,0000,,And yeah, maybe anything that you want to\Nadd or any other new topics that you're
Dialogue: 0,0:43:05.55,0:43:09.34,Default,,0000,0000,0000,,working on, something that might be\Nupcoming. Maybe we can get a sneak
Dialogue: 0,0:43:09.34,0:43:13.59,Default,,0000,0000,0000,,preview. I'm sure you're still continuing\Nthe research there - and 
Dialogue: 0,0:43:13.59,0:43:15.80,Default,,0000,0000,0000,,J: Sorry I needed to unmute myself. Not
Dialogue: 0,0:43:15.80,0:43:20.25,Default,,0000,0000,0000,,spoilering yet but I mean, the issue like\Njust looking into one VPN client it's
Dialogue: 0,0:43:20.25,0:43:25.84,Default,,0000,0000,0000,,also, if it is proprietary, then just\Nreversing is a lot, a lot, a lot of work.
Dialogue: 0,0:43:25.84,0:43:32.63,Default,,0000,0000,0000,,I mean, I can tell you a story about like,\Nlooking into binaries for months, and so
Dialogue: 0,0:43:32.63,0:43:37.82,Default,,0000,0000,0000,,it doesn't really scale to look into like\N10 different clients, at least if you want
Dialogue: 0,0:43:37.82,0:43:44.48,Default,,0000,0000,0000,,to have meaningful findings.\NH: Yeah, but like you don't have any any
Dialogue: 0,0:43:44.48,0:43:51.35,Default,,0000,0000,0000,,other plans to, you know, look at any\Nother clients that get any requests or any
Dialogue: 0,0:43:51.35,0:43:56.61,Default,,0000,0000,0000,,triggers that would point you there. Maybe\Nhaving a new phone and a new client and
Dialogue: 0,0:43:56.61,0:44:02.31,Default,,0000,0000,0000,,noticing new strange things? No? - Okay.\NG: Not yet.
Dialogue: 0,0:44:02.31,0:44:06.01,Default,,0000,0000,0000,,J: Yeah.\NG: But, but yes, Matthias is still working
Dialogue: 0,0:44:06.01,0:44:10.93,Default,,0000,0000,0000,,on it. I think he will find something in\Nthe future. M: hopefully.
Dialogue: 0,0:44:10.93,0:44:21.04,Default,,0000,0000,0000,,H: Yeah. Yeah. I guess that's pretty much\Nall the last questions, except one: There
Dialogue: 0,0:44:21.04,0:44:26.34,Default,,0000,0000,0000,,are two shadows behind you Jiska, is that\Nthe shadow cabinet?
Dialogue: 0,0:44:26.34,0:44:29.63,Default,,0000,0000,0000,,J: No, no, no. I just have multiple lamps\Nhere. So -
Dialogue: 0,0:44:29.63,0:44:31.48,Default,,0000,0000,0000,,H: Yeah, yeah, it's funny everyone &lt;??&gt;
Dialogue: 0,0:44:31.48,0:44:34.51,Default,,0000,0000,0000,,J: At least it's only showing my shadow\Nduplicate. Not - not me.
Dialogue: 0,0:44:34.51,0:44:39.74,Default,,0000,0000,0000,,H: Yeah. But we're quite lucky that at\Nleast in this talk, the connection seems
Dialogue: 0,0:44:39.74,0:44:46.09,Default,,0000,0000,0000,,to be working fine. We've been having some\Nissues here. Yeah, but that's great. If
Dialogue: 0,0:44:46.09,0:44:51.28,Default,,0000,0000,0000,,you have any other questions, I think\Nwe'll wrap it up here not to keep you
Dialogue: 0,0:44:51.28,0:44:57.42,Default,,0000,0000,0000,,around much longer. I'm sure you're eager\Nto jump around the rc3 world, and if you
Dialogue: 0,0:44:57.42,0:45:03.47,Default,,0000,0000,0000,,have anything else, maybe you can join us\Nin the IRC later. If there are any other
Dialogue: 0,0:45:03.47,0:45:08.86,Default,,0000,0000,0000,,questions, maybe they will look there for\Na short while or I will forward those
Dialogue: 0,0:45:08.86,0:45:12.24,Default,,0000,0000,0000,,questions. Right then.\NJ: Thank you.
Dialogue: 0,0:45:12.24,0:45:16.57,Default,,0000,0000,0000,,H: I thank you very much for the super\Ninteresting talk. I learned something new
Dialogue: 0,0:45:16.57,0:45:20.81,Default,,0000,0000,0000,,about the VPN client that I came into\Ncontact with during my work time as well.
Dialogue: 0,0:45:20.81,0:45:28.17,Default,,0000,0000,0000,,So interesting for me too. And yeah, let's\Nkeep it at that.
Dialogue: 0,0:45:28.17,0:45:35.75,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:45:35.75,0:45:52.56,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2022. Join, and help us!
Dialogue: 0,0:45:52.56,0:45:59.00,Default,,0000,0000,0000,,[Translated by {Iikka}{Yli-Kuivila}\N(ITKST56 course assignment at JYU.FI)]