Date: Tue, 13 Apr 1999 20:14:49 +0200 From: Patrick Oonk <patrick@pine.nl> To: BUGTRAQ@netspace.org Subject: Serious security holes in web anonimyzing services >From: "Richard M. Smith" <smiths@tiac.net> Subject: Serious security holes in Web anonymizing services Date: Sun, 11 Apr 1999 19:23:25 -0400 Newsgroups: comp.security.misc Organization: The Internet Access Company, Inc. Hello, I found very serious security holes in all of the major anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). These security holes allow a Web site to obtain information about users that the anonymizing services are suppose to be hiding. This message provides complete details of the problem and offers a simple work-around for users until the security holes are fixed. The April 8th issue of the New York Times has an article by Peter H. Lewis in the Circuits section that describes various types of services that allow people to anonymously surf the Web. The article is entitled "Internet Hide and Seek" and is available at the NY Times Web site: http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html (Note, this article can only viewed if you have a free NY Times Web account.) The three services described in the article are: Anonymizer (http://www.anonymizer.com) Bell Labs (http://www.bell-labs.com/project/lpwa) Naval Research Laboratory (http://www.onion-router.net) In addition, I found a pointer to fourth service in a security newsgroup: Aixs (http://aixs.net/aixs/) The best known of these services is the Anonymizer at www.anonymizer.com. However all four services basically work in the same manner. They are intended to hide information from a Web site when visited by a user. The services prevent the Web site from seeing the IP address, host computer name, and cookies of a user. All the services act as proxies fetching pages from Web sites instead of users going directly to Web sites. The services make the promise that they don't pass private information along to Web sites. They also do no logging of Web sites that have been visited. After reading the article, I was curious to find out how well each of these services worked. In particular, I wanted to know if it would be possible for a Web site to defeat any of these systems. Unfortunately, with less than an hour's worth of work, I was able to get all four systems to fail when using Netscape 4.5. The most alarming failures occurred with the Anonymizer and Aixs systems. With the same small HTML page I was able to quietly turn off the anonymzing feature in both services. Once this page runs, it quickly redirects to a regular Web page of the Web site. Because the browser is no longer in anonymous mode, IP addresses and cookies are again sent from the user's browser to all Web servers. This security hole exists because both services fail to properly strip out embedded JavaScript code in all cases from HTML pages. With the Bell Labs and NRL systems I found a different failure. With a simple JavaScript expression I was able to query the IP address and host name of the browser computer. The query was done by calling the Java InetAddress class using the LiveConnect feature of Netscape Navigator. Once JavaScript has this information, it can easily be transmitted it back to a Web server as part of a URL. A demo on the use of Java InetAddress class to fetch the browser IP address and host name can be found at: http://www.tiac.net/users/smiths/js/livecon/index.htm If you are a user of any these services, I highly recommend that you turn off JavaScript, Java, and ActiveX controls in your browser before surfing the Web. This simple precaution will prevent any leaks of your IP address or cookies. I will be notifying all 4 vendors about these security holes and hopefully this same recommendation will be given to all users. If you have any questions or comments, please send them via Email. Richard M. Smith smiths@tiac.net -- Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl Pine Internet B.V. Consultancy, installatie en beheer Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- Excuse of the day: bugs in the RAID --------------------------------------------------------------------- [http://www.tiac.net/users/smiths/js/livecon/index.htm] <html> <head> <title>Using Java objects in JavaScript with Netscape's LiveConnect</title> <h3>Using Java objects in JavaScript with Netscape's LiveConnect</h3> <hr> <!-- Copyright (C) 1999 Richard M. Smith, All rights reserved --> </head> <body> <script src="../../utils/common.js" tppabs="http://www.packetstormsecurity.nl/opensec-exploits/exploits/netapps/utils/common.js"> </script> <script>JSDirectoryLine("LiveConnect and Java objects");</script> <table border=1> <tr><th align=center> Expression </th><th align=center> Result </th><th align=center> Comments </th></tr> <script> evalTableEntry_IENA('mydate = new java.util.Date()', "Make a Java <i>Date</i> object"); evalTableEntry_IENA('typeof(mydate)', "The type of a Java object is <i>object</i>"); evalTableEntry_IENA('mydate.toString()', "Convert the <i>Date</i> to a string"); evalTableEntry_IENA('typeof(mydate.toString())', "Oops, it's <b>not</b> a JavaScript string"); evalTableEntry_IENA('mydate + ""', "Here is another approach to do a string conversion"); evalTableEntry_IENA('typeof(mydate + "")', "This time we get a JavaScript string"); evalTableEntry_IENA('mydate.getMonth()', "Get the month field of the <i>Date</i> object"); evalTableEntry_IENA('typeof(mydate.getMonth())', "The getMonth() method returns a number as it should"); evalTableEntry_IENA('java.net.InetAddress.getLocalHost().getHostAddress()', "Get the IP address of the local machine"); evalTableEntry_IENA('java.net.InetAddress.getLocalHost().getHostName()', "Get the local machine name"); </script> </table> <br> <script>DescStart();</script> <b>Note 1:</b> Becuase Internet Explorer 4 does not support LiveConnect, Java classes cannot be call directly from JavaScript. Instead, a Java applet must be created which exposes the various Java classes needed by JavaScript. The same Java applet can be used both with Interner Explorer 4 and Netscape Navigator. <p> <b>Note 2:</b> Java exceptions cannot be handled by JavaScript with LiveConnect. Java exceptions are reported by JavaScript as errors. A Java applet is required to be able to trap Java exceptions. <script>DescEnd();</script> </body> </html> -------------------------------------------------------------------------------------------- http://www.wired.com/news/print_version/technology/story/19091.html?wnpg=all Anonymous Web Surfing? Uh-Uh by Chris Oakes - chriso@wired.com 2:25 p.m. 13.Apr.99.PDT People who think they're cruising the Web in a stealth vehicle may find that their license plates are still showing. "Anonymizer" services admit that their attempts to protect individual Web identities aren't bulletproof, but say that browsing technologies should share the blame. Programmer Richard Smith, who has a history of poking holes in supposedly secure software programs, tested four anonymizer Web services and came away unimpressed. On Monday, Smith said that results revealed a variety of data leaks, causing him to worry that users might browse with a false sense of security. "I was surprised that companies who are in the computer security business have systems that are so easy to break," he said. "Even more surprising is that four vendors had a problem, not just one." The leaks provide clues to a user's identification, such as a numerical Internet, or IP, address. "I found very serious security holes in all of the major anonymous Web surfing services," Smith said. "These security holes allow a Web site to obtain information about users that the anonymizing services are supposed to be hiding." Representatives of the services acknowledge that security lapses occur, but argue that the browsing software is as much to blame as they are. They're quick to add that they patch holes when they can. Smith tested the Anonymizer, Aixs, the Lucent Personalized Web Assistant, and a US Navy-sponsored research project called the Onion Routing service. http://www.anonymizer.com/ http://aixs.net/aixs/ http://www.bell-labs.com/project/lpwa/ http://www.onion-router.net/ Although the characteristics of each service vary, they primarily use data-stripping and proxy-masking techniques to conceal key data that browser software can leave behind. The Anonymizer recently announced an anonymous forwarding service to help safeguard the identity of those filing unofficial and uncensored email reports from the fighting in Kosovo. http://www.wired.com/news/news/politics/story/18765.html The main purpose of all four services, though, is to keep a user's identity safe from the prying eyes of Web-site operators by preventing them from obtaining an IP address, a host computer's name, or browser cookies that tip off a return visit to a site. To hide these details, most services act as a kind of Web waystation between browsers and sites. The anonymizing services retrieve Web pages and deliver them to users instead of users fetching them directly. An operator at one service says that the weaknesses Smith points out are not entirely the fault of the anonymizer. Flaws in the software must take some blame, too. Using a te...
zorazelda