The MikeCam

Update 2005/08/25: Will this work on Cisco Clean Access (the new name for SmartEnforcer)? I don’t know, I haven’t tried it and don’t plan to until the next time I have to connect a Windows machine to a network with this crap on it. This “Cisco Clean Access Agent (Perfigo) installation bypass” report says that it does, though. Bastard stole my idea. I should have thought to post this to SecurityFocus earlier this year. Oh well.

Well damn. I had a whole post written out and then X crashed on me and took my post with it. It’s late, I don’t feel like writing the whole thing all over again, so I’ll be brief (yay):

Intro
ASU, along with many other universities, uses a set of programs from Perfigo (now owned by Cisco) known as CleanMachines. The purpose is to keep the network safe and healthy by scanning machines for vulnerabilities before allowing them to connect to the Internet. While this is a great idea it causes many problems. As one school paper reports, there are many “student complaints about slow performance and frequent disconnections.” I also don’t appreciate the invasion of privacy in installing a program that will scan my computer and report its findings to its evil, faceless masters. Luckily, I use Linux and there is only a Windows client, so I don’t have to deal with the client software. In connecting another machine, however, I discovered that it is both possible and quite easy to trick SmartServer or SmartEnforcer or whatever into thinking you’re running a different OS. Apparently their idea of OS detection is simply checking the user-agent field from the browser (the info a browser sends about your computer when it visits a web page), which is plenty easy to spoof. Talk about weak.

Exploit details/Howto
First, a warning/disclaimer that if you’re attending a university using this program, it’s most likely against their network use policy that no one reads to try and circumvent Smart Enforcer. My intention is to show the ridiculous weaknesses of this system and that trying to force client-side scanning like this – in addition to the privacy concerns – just doesn’t work. Hopefully that will cover my ass enough in case any suits wander by…

There are a couple steps to it, but it’s really pretty easy and even a novice could accomplish it. This assumes that you’re using Firefox. You are using Firefox, right?

1. Install the “User Agent Switcher” extension.
2. After restarting your browser, go to Tools > User Agent Switcher > Options > Options…, click on “User Agents” and click “Add…” Enter the following in each field:
   Description: Firefox 1.0.1 (Linux i686)
   User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
   App Name: Netscape
   App Version: 5.0 (X11; en-US)
   Platform: Linux i686
   Vendor: Firefox
   Vendor Sub: 1.0.1
3. Click Tools > User Agent Switcher > Firefox 1.0.1 (Linux i686).
4. Open the school’s DHCP registration page (https://author1.asu.edu/dhcp for ASU), log in, and Smart whatever will now think you’re running Linux and let you connect without a problem. This is what perfectly good tuition money is going towards.