3

Is there any way to prevent Cisco AnyConnect client to update /etc/resolv.conf on a GNU/Linux box?

mehturt
  • 91
  • 1
  • 9

2 Answers2

3

Newer versions of AnyConnect (above 4.3.05017 as mentioned by @David G) fails when not being able to modify /etc/resolv.conf.

What worked for me was to modify the binary of /opt/cisco/anyconnect/bin/vpnagentd and change the occurrence of/etc/resolv.conf inside the file to something else (I chose to change only one letter in it to /etc/Xesolv.conf).

In version 4.8.03043 the string is located at offset 817635 so something like:

echo -n "X" | dd of=/opt/cisco/anyconnect/bin/vpnagentd bs=1 seek=817635 count=1 conv=notrunc

would work.

However following python3 script should possibly do the trick on future versions. Be sure to make a copy of vpnagentd file just in case as it modifies it in place.

#!/usr/bin/env python3

import re

filename="/opt/cisco/anyconnect/bin/vpnagentd"
# find occurence of C string resolv.conf (enging with 0 byte)
find=rb'resolv\.conf\00'
# replacement  byte(s), we change only the first letter to X
replace=rb'X'

with open(filename,"rb") as binfile:
    bincontent=binfile.read()

match = re.search(find,bincontent)

offset=match.start()
print(f"Found at offet {offset}")

with open(filename, 'rb+') as binfile:
    binfile.seek(offset)
    print(binfile.read(1))
    binfile.write(replace)

Make sure to stop vpnagentd service (e.g. systemctl stop vpnagentd) or you'll get:

OSError: [Errno 26] Text file busy: '/opt/cisco/anyconnect/bin/vpnagentd'

When run successfully it should output something like:

$ sudo ./patch.py
Found at offet 817635
b'r'

any subsequent run would not find the pattern pattern (and that's OK) and fail with:

$ sudo ./patch.py
Traceback (most recent call last):
  File "./patch.py", line 16, in <module>
    offset=match.start()
AttributeError: 'NoneType' object has no attribute 'start'
Emsi
  • 131
  • 2
  • 1
    This is great, the best kind of hacky! I can confirm that this works on version 4.10.01075. Maybe another note to mention, you should start `vpnagentd` after modification - anyconnect doesn't start it back up on it's own – the-lay Feb 10 '22 at 20:10
  • Unfortunately this hack doesn't work anymore. 4.10.05111 refuses to start after patching and logs ```Nov 26 13:10:51 ky-All-Series acvpnagent[1987596]: Function: IsValid File: ../../vpn/CommonCrypt/VerifyFileSignatureOpenSSL.cpp Line: 244 Invoked Function: COpenSSLCertificate::VerifyBufferSignature Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED File (/opt/cisco/anyconnect/bin/vpnagentd)``` – Maxim Ky Nov 26 '22 at 10:14
  • @MaximKy only the python patch scrip will work with versions other than 4.8.03043. I have succeeded patching 4.10.05095 with it (the offset is: 834244). Also, the error you are having indicates different problem. If the patching goes wrong the process will most likely crash. It's unlikely that it will produce any error. – Emsi Dec 19 '22 at 11:02
  • @Emsi I ran patch.py and it printed the "Found at offet blahblah" line. But systemd service doesn't start with the mentioned error. I guess that vpnagentd 4.10.05111 self-checks on the start and expects the signature/checksum to match. – Maxim Ky Dec 21 '22 at 14:22
3

This was answered over SuperUser, essentially just make the file immutable

Set the content of /etc/resolv.conf however you want and then set it immutable with command chattr +i /etc/resolv.conf.

I would suggest adding a note to the file indicating that you have set it immutable before you set it immutable, to prevent future confusion.

Community
  • 1
eresonance
  • 135
  • 5
  • 1
    It would be good to add the details of how to make the file immutable in the case that the question on SU gets deleted at some point, which would essentially cause the link to break for anyone with < 10K rep on SU. – squillman Nov 20 '14 at 16:31
  • Thanks, that makes sense. However I'm using multiple VPNs, some of which I want to overwrite the resolv.conf. When I change it to immutable, the other vpns won't be able to modify it as well. – mehturt Nov 21 '14 at 11:52
  • 2
    At the present time, with Ubuntu 18.04 and AnyConnect Secure Mobility Client version 4.3.05017, making `/etc/resolv.conf` immutable prevents the client from connecting. This is really annoying. – David G May 30 '20 at 17:52
  • Can confirm the hint from @DavidG; AnyConnect Secure Mobility Client Version 4.10.06079 on Linux Mint 21.1 won't establish a connection when /etc/resolv.conf was to immutable. – Claudio Kuenzler Apr 09 '23 at 11:12