[10227] in bugtraq
Re: Serious security holes in web anonimyzing services-non html
daemon@ATHENA.MIT.EDU (DaRk[V]0c)
Thu Apr 15 13:24:35 1999
Date: Sun, 11 Apr 1999 19:52:01 -0300
Reply-To: "DaRk[V]0c" <darkv0c@ARMY.NET>
From: "DaRk[V]0c" <darkv0c@ARMY.NET>
X-To: Toby Barrick <tbarri@AMEX-TRS.COM>
To: BUGTRAQ@NETSPACE.ORG
I am not sure it afects firewalls and proxy servers in some cases.
Let's say you have a network and a firewall which links this network to
the external world. In the anonymizer service, the proxy is OPTIONAL,
that is, packets do not necessarily have to go trough the proxy. In a
network-firewall case, packets MUST go trough the firewall. It's not
phisically on logically possible that packets go around that. Therefore,
the anonymizing service keeps still.
I made these considerations based on what I know from computer networks.
I may be absolutely wrong and if that is the case, please correct it.
v0c.
Toby Barrick wrote:
>
> Sorry for the dual post, the first was html format.
>
> This is more of a browser/Java issue. This not only affects annon
> sevices but proxy/firewall services also!!!
>
> Toby Barrick
>
> Patrick Oonk wrote:
> >
> > From: "Richard M. Smith" <smiths@tiac.net>
> > Subject: Serious security holes in Web anonymizing services
> > Date: Sun, 11 Apr 1999 19:23:25 -0400
> > Newsgroups: comp.security.misc
> > Organization: The Internet Access Company, Inc.
> >
> > Hello,
> >
> > I found very serious security holes in all of the major
> > anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.).
> > These security holes allow a Web site to obtain information about
> > users that the anonymizing services are suppose to be hiding. This
> > message provides complete details of the problem and offers
> > a simple work-around for users until the security holes are
> > fixed.
> >
> > The April 8th issue of the New York Times has an article
> > by Peter H. Lewis in the Circuits section that describes
> > various types of services that allow people to anonymously
> > surf the Web. The article is entitled "Internet Hide and
> > Seek" and is available at the NY Times Web site:
> >
> > http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
> >
> > (Note, this article can only viewed if you have a free
> > NY Times Web account.)
> >
> > The three services described in the article are:
> >
> > Anonymizer (http://www.anonymizer.com)
> > Bell Labs (http://www.bell-labs.com/project/lpwa)
> > Naval Research Laboratory (http://www.onion-router.net)
> >
> > In addition, I found a pointer to fourth service in a security
> > newsgroup:
> >
> > Aixs (http://aixs.net/aixs/)
> >
> > The best known of these services is the Anonymizer at
> > www.anonymizer.com. However all four services basically
> > work in the same manner. They are intended to hide
> > information from a Web site when visited by a user. The
> > services prevent the Web site from seeing the IP address,
> > host computer name, and cookies of a user. All the services act
> > as proxies fetching pages from Web sites instead of users
> > going directly to Web sites. The services make the promise
> > that they don't pass private information along to
> > Web sites. They also do no logging of Web sites that
> > have been visited.
> >
> > After reading the article, I was curious to find out how well
> > each of these services worked. In particular, I wanted to
> > know if it would be possible for a Web site to
> > defeat any of these systems. Unfortunately, with less
> > than an hour's worth of work, I was able to get all four
> > systems to fail when using Netscape 4.5.
> >
> > The most alarming failures occurred with the Anonymizer and Aixs
> > systems. With the same small HTML page I was able
> > to quietly turn off the anonymzing feature in both services.
> > Once this page runs, it quickly redirects to a regular
> > Web page of the Web site. Because the browser is no
> > longer in anonymous mode, IP addresses and cookies
> > are again sent from the user's browser to all Web servers.
> > This security hole exists because both services fail to properly
> > strip out embedded JavaScript code in all cases from HTML
> > pages.
> >
> > With the Bell Labs and NRL systems I found a different
> > failure. With a simple JavaScript expression I was
> > able to query the IP address and host name of the
> > browser computer. The query was done by calling the
> > Java InetAddress class using the LiveConnect feature
> > of Netscape Navigator. Once JavaScript has this
> > information, it can easily be transmitted it back to a
> > Web server as part of a URL.
> >
> > A demo on the use of Java InetAddress class to fetch
> > the browser IP address and host name can be found at:
> >
> > http://www.tiac.net/users/smiths/js/livecon/index.htm
> >
> > If you are a user of any these services, I highly recommend
> > that you turn off JavaScript, Java, and ActiveX
> > controls in your browser before surfing the Web.
> > This simple precaution will prevent any leaks of
> > your IP address or cookies. I will be notifying all 4 vendors
> > about these security holes and hopefully this same recommendation
> > will be given to all users.
> >
> > If you have any questions or comments, please send them via Email.
> >
> > Richard M. Smith
> > smiths@tiac.net
> >
> > --
> > Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl
> > Pine Internet B.V. Consultancy, installatie en beheer
> > Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
> > -- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
> > Excuse of the day: bugs in the RAID
