Everhart, Glenn (FUSA) From: Toby Barrick [tbarri@AMEX-TRS.COM] Sent: Tuesday, April 13, 1999 8:34 PM To: BUGTRAQ@NETSPACE.ORG Subject: Re: Serious security holes in web anonimyzing services-non html Sorry for the dual post, the first was html format. This is more of a browser/Java issue. This not only affects annon sevices but proxy/firewall services also!!! Toby Barrick Patrick Oonk wrote: > > From: "Richard M. Smith" > Subject: Serious security holes in Web anonymizing services > Date: Sun, 11 Apr 1999 19:23:25 -0400 > Newsgroups: comp.security.misc > Organization: The Internet Access Company, Inc. > > Hello, > > I found very serious security holes in all of the major > anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). > These security holes allow a Web site to obtain information about > users that the anonymizing services are suppose to be hiding. This > message provides complete details of the problem and offers > a simple work-around for users until the security holes are > fixed. > > The April 8th issue of the New York Times has an article > by Peter H. Lewis in the Circuits section that describes > various types of services that allow people to anonymously > surf the Web. The article is entitled "Internet Hide and > Seek" and is available at the NY Times Web site: > > http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html > > (Note, this article can only viewed if you have a free > NY Times Web account.) > > The three services described in the article are: > > Anonymizer (http://www.anonymizer.com) > Bell Labs (http://www.bell-labs.com/project/lpwa) > Naval Research Laboratory (http://www.onion-router.net) > > In addition, I found a pointer to fourth service in a security > newsgroup: > > Aixs (http://aixs.net/aixs/) > > The best known of these services is the Anonymizer at > www.anonymizer.com. However all four services basically > work in the same manner. They are intended to hide > information from a Web site when visited by a user. The > services prevent the Web site from seeing the IP address, > host computer name, and cookies of a user. All the services act > as proxies fetching pages from Web sites instead of users > going directly to Web sites. The services make the promise > that they don't pass private information along to > Web sites. They also do no logging of Web sites that > have been visited. > > After reading the article, I was curious to find out how well > each of these services worked. In particular, I wanted to > know if it would be possible for a Web site to > defeat any of these systems. Unfortunately, with less > than an hour's worth of work, I was able to get all four > systems to fail when using Netscape 4.5. > > The most alarming failures occurred with the Anonymizer and Aixs > systems. With the same small HTML page I was able > to quietly turn off the anonymzing feature in both services. > Once this page runs, it quickly redirects to a regular > Web page of the Web site. Because the browser is no > longer in anonymous mode, IP addresses and cookies > are again sent from the user's browser to all Web servers. > This security hole exists because both services fail to properly > strip out embedded JavaScript code in all cases from HTML > pages. > > With the Bell Labs and NRL systems I found a different > failure. With a simple JavaScript expression I was > able to query the IP address and host name of the > browser computer. The query was done by calling the > Java InetAddress class using the LiveConnect feature > of Netscape Navigator. Once JavaScript has this > information, it can easily be transmitted it back to a > Web server as part of a URL. > > A demo on the use of Java InetAddress class to fetch > the browser IP address and host name can be found at: > > http://www.tiac.net/users/smiths/js/livecon/index.htm > > If you are a user of any these services, I highly recommend > that you turn off JavaScript, Java, and ActiveX > controls in your browser before surfing the Web. > This simple precaution will prevent any leaks of > your IP address or cookies. I will be notifying all 4 vendors > about these security holes and hopefully this same recommendation > will be given to all users. > > If you have any questions or comments, please send them via Email. > > Richard M. Smith > smiths@tiac.net > > -- > Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl > Pine Internet B.V. Consultancy, installatie en beheer > Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ > -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- > Excuse of the day: bugs in the RAID