Insecure Privoxy Configuration in Vidalia Bundles Prior to 0.1.2.18

Summary

Versions of the Vidalia bundle prior to 0.1.2.18 install Privoxy with an insecure configuration file. In combination with web browser vulnerabilities, these configuration values could be used to bypass the Privoxy filtering or cause Privoxy to block or redirect user requests. Both Windows and Mac OS X versions are affected.

Disclaimer

Some of the demonstrations linked from this page attempt to modify your Privoxy configuration in malicious ways. Backing up the 'user.action' configuration file is recommended before running any of these demonstrations.

All of the demonstrations and attacks were tested using Mozilla Firefox 2.0.0.9. On Windows, the Sun Java Runtime Environment (JRE) 1.6u2 was used. Mac OS X testing was performed using the latest version of Apple's Mac OS Runtime for Java (MRJ) 10.4 release 5.

The use of vulnerable software versions is meant to illustrate the types of attacks that can be performed. Simply because (most of) the flaws present have been patched does not mean that there aren't other potential vulnerabilities which could be exploited to achieve similar results.

Description

The Vidalia Project provides a cross-platform GUI controller for Tor. The Tor Project provides package downloads that bundle Tor, Privoxy and Vidalia. In versions of the bundle prior to 0.1.2.18, an insecure default Privoxy configuration file was included.

The installed 'config.txt' file ('config' on Mac OS X) had the following option values set to 1:

Additionally, on Windows the following option was set to 1:

Malicious sites (or malicious exit nodes) could include active content (e.g., JavaScript, Java, Flash) that caused the web browser to:

The Privoxy documentation recommends against enabling these options in multi-user environments or when dealing with untrustworthy clients. However, the documentation does not mention that client-side web-browser vulnerabilities could be exploited as well.

It should be noted that using Tor is not a prerequisite for some of these attacks to be successful. Users of Tor may be at greater risk, because malicious exit nodes can inject content into otherwise trusted sites.

Option: enable-remote-http-toggle

The enable-remote-http-toggle option allows web clients to include a special header that disables any Privoxy content filtering of the client request. If Privoxy determines that the header "X-Filter: No" has been included in the web request, all content level filtering is disabled for that specific request. Such filtering includes the ability for Privoxy to prevent pop-up windows, disable content re-directions and prevent cookies from being set through meta tags.

Normally, a web browser is unable to set specific headers. However, active content typically provides mechanisms to set headers on a per request basis:

For example, a simple XMLHttpRequest could appear as:


var xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.com/whatever", false);
xhr.setRequestHeader("X-Filter", "No");
xhr.send(null);
document.write(xhr.responseText);
      

The following demonstrations have been constructed to show how the 'X-Filter' header can bypass content filtering. These demonstrations attempt to bypass the following filter actions: content-cookies, refresh-tags, all-popups. If these actions are not enabled in Privoxy, the demonstrations will not appear to do anything special.

Option: enable-remote-toggle

The enable-remote-toggle option allows the user to either enable or disable Privoxy through her web browser. When using Privoxy as a proxy, navigating to http://config.privoxy.org/toggle opens the toggle page. Privoxy filtering can either be enabled or disabled from this page.

Screenshot - Privoxy Toggle Page

This functionality is described as:

When enabled, Privoxy performs its magic - blocking adverts, filtering cookies, regex-filtering, etc.

When disabled, Privoxy behaves as a normal HTTP proxy, and will not affect your web browsing.

Privoxy is disabled by visiting http://config.privoxy.org/toggle?set=disable and enabled by visiting http://config.privoxy.org/toggle?set=enable. In order to prevent arbitrary web requests from invoking these requests, Privoxy verifies that the HTTP Referer header matches "http://config.privoxy.org/". In theory, this should prevent simple cross-site request forgery (CSRF) attacks.

Unfortunately, web browser vulnerabilities occasionally allow the Referer header to be forged. Vulnerabilities have been found in virtually all facets of active content. In the past, XMLHttpRequests allowed setting the Referer header, Flash movies could forge Referer headers and Flash or Java applets could use DNS-rebinding (or the document.domain bypass) to connect to the localhost and use TCP sockets to construct requests.

The Mozilla Firefox window.location race condition described in MFSA 2007-39 was developed in part to bypass the CSRF protection employed by Privoxy. Because Privoxy accepted GET requests, only checked the Referer header and didn't include any type of token or nonce, a simple request with a forged Referer header is sufficient to disable Privoxy.

Under Firefox 2.0.0.9, the following HTML is generally sufficient to set Privoxy to a disabled state:


<form name="pwn" target="_self" action="http://config.privoxy.org/">
</form>
<script defer="defer" type="text/javascript">
eval("setTimeout")('document.forms["pwn"].submit()', 100);
window["alert"]("wait for it");
window["location"] = "http://config.privoxy.org/toggle?set=disable";
</script>

Here are some additional demonstrations:

Option: enable-edit-actions

The enable-edit-actions option allows a user to configure the content filtering and blocking policy for Privoxy by accessing the configuration interface from the web browser. The configuration can be edited by browsing to http://config.privoxy.org/show-status.

Screenshot - Privoxy Status Page

The 'default.action' file defines the basic rules that apply to all requests and is processed first. It can be safely ignored in most cases.

The 'user.action' file is where attacks would be focused. It is processed after the default file and rules defined here take precedence. The default 'user.action' files ships with several sample rules (we'll see later, in some cases, these sample rules can be used to attack the system). Rules are defined by creating Actions and then specifying URL patterns. Later rules take precedence over early rules. A top-level rule can be defined by specifying an URL match of "/".

Screenshot - Privoxy Edit User Actions

On the surface, the Privoxy configuration editor is safe from drive-by modification using CSRF. In addition to the checking the Referer header, the configuration editing also employs a file version. The file version value is derived from the modification time of the configuration file. When any requests are submitted, the file version in the request is compared to the current modification time of the file. If a mismatch is detected, the request is rejected. Ostensibly, this is to prevent overlapping edits from corrupting the file, but it actually provides fairly strong CSRF protection. As edits are made, the file version is constantly changing. This makes attacks much more complicated because in addition to forging a Referer header, the file version must be guessed. The following demonstrations present two possible attack approaches.

Demonstrations:

End Notes

Although Vidalia does not have a bundle for Linux, these attacks are equally applicable to many Linux distributions. Any distribution that ships Privoxy with an insecure default configuration file is vulnerable. The Privoxy source distribution is also vulnerable.

Also available is an unfinished Flash with DNS rebinding demonstration. Originally envisioned as an attack against the Incognito CD, work was abandoned after Incognito switched to Polipo. If you want to use the demo, download the code and edit the 'hostname' to point to a hostname that can be used for DNS rebinding or enter one and relaunch the demo. Effective DNS rebinding through the Tor network faces additional challenges due to some of the timing and caching issues. This is an open research question.

Flash Bits

The Flash demos were created using the Open Source SWF Tools collection. Each of the following scripts was compiled using the 'swfc' command.

The source: