By Jake Edge
October 14, 2009
Users give up a certain level of anonymity when they browse the web. Not
only do things like cookies make them less anonymous, server logs also keep
a record of which IP addresses connected to them, and ISPs, companies, and others
may record the destination of outbound traffic. Unlike cookies, though,
there is
nothing a user can do to prevent their address from being captured by
endpoints or intervening routers—except by using some kind of proxy.
Using Tor, for example,
allows users to proxy their request through an anonymizing network so
that there is no direct connection between their address and the server
they are contacting. Now,
through the work of Connell Gauld, Android users can also browse through
Tor using TorProxy and
Shadow.
There are any number of reasons that someone might want to disguise
their web requests: repressive governments, potential
embarrassment, hiding illegal activities, and so forth. Tor routes each
request that it gets through several, randomly-chosen nodes within its
network. The request eventually emerges at an exit node—which,
importantly, sees the traffic in
the clear—where it is handed off to the destination server.
![[TorProxy]](/images/tps/tps-torproxy_sm.png)
Essentially, the only information available is that the source node
connected to a Tor node, and some time later a different Tor node connected
to the destination. With enough monitoring, traffic analysis might be used
to determine the correspondence between those two things, but it raises the
bar by quite a bit. Cookies and user logins on destination sites can also
potentially pierce a user's anonymity, but those are able to be controlled
by users.
TorProxy and Shadow are two free software programs for Android mobile
phones that give users access to the Tor network. Both can be installed
from the Android Market application. As the name implies, TorProxy is the
proxy agent that sits between applications that want to anonymously use the
network and the network itself, routing the traffic through Tor. Shadow
uses the Android browser classes to implement a browser, but routes its
requests through TorProxy.
![[Shadow]](/images/tps/tps-shadow_sm.png)
There are some questions
(see the update) about the code that underlies TorProxy, so it may not,
yet, be suitable for "operational" use. But, the code is free, and there
have been successful efforts
to get the C version of the Tor client running on Android, so it would seem
likely that a secure version of TorProxy will come along.
Once installed, TorProxy can be configured to maintain a Tor connection at
all times, or only on demand from applications that specifically request
it, such as Shadow. Shadow has a bit of a different look from the
standard Android browser, at least on startup, but it functions more or
less the same. But, much like desktop Tor usage, it suffers from fairly
serious delays.
![[Countdown]](/images/tps/tps-countdown_sm.png)
When first connecting, TorProxy takes roughly 30 seconds to initiate a
connection. An onion logo—Tor is sometimes known as "The Onion
Router"—with a countdown appears in the Android status bar. Once the
connection is established, one can then surf the web. It is something of a
nostalgic experience, reminding one of those halcyon days of accessing the
net via 9600bps (or worse) modems.
Unfortunately, any serious attempt to anonymize traffic is going to be
somewhat slow. Each hop along the way is going to add some time to the
process, but each will add a bit more unpredictability as well. For those
that need
the anonymity that Tor can provide, however, the wait is likely worth
it—the wait in a gulag or prison will likely be much longer.
Comments (4 posted)
Brief items
SELinux hacker Dan Walsh
looks at creating policies for the Google Chrome browser on his weblog. His posting is a detailed look at creating SELinux policy for Chrome/Chromium, and, in particular, the
Chromium sandbox. "
When I write new policy now, I default to permissive domains to make sure I don't blow up the user environment. I usually wait for the next version of the OS to turn permissive domains to enforcing domains. This means I will probably leave chrome_sandbox_t as a permissive domain for all of F12 and turn it enforcing in F13. This allows me to gather lots of AVC's and not force the user to disable SELinux [or] not use chrome. And hopefully allows me to write better policy. You can use the seinfo --permissive command to list all the permissive domains on your system."
Comments (35 posted)
Security reports
The Django project has
announced the release of a set of urgent security updates. "
This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases." The vulnerability (a denial of service problem) affects any Django application running 1.0 or later and using the
EmailField or
URLField features.
Comments (1 posted)
New vulnerabilities
aria: buffer overflow
| Package(s): | aria2 |
CVE #(s): | CVE-2009-3575
|
| Created: | October 9, 2009 |
Updated: | January 14, 2010 |
| Description: |
From the
Red Hat bugzilla:
Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3,
1.2.0, and other versions allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via unknown
vectors. |
| Alerts: |
|
Comments (none posted)
deltarpm: old zlib vulnerability
| Package(s): | deltarpm |
CVE #(s): | |
| Created: | October 9, 2009 |
Updated: | October 14, 2009 |
| Description: |
deltarpm prior to the current build ships with a bundled copy of zlib. This
version of zlib has a known vulnerability with CVE identifier: CAN-2005-1849
This build of deltarpm patches the program to use the system zlib (which was
fixed when the vulnerability was first discovered) instead of the bundled copy. |
| Alerts: |
|
Comments (none posted)
dopewars: denial of service
| Package(s): | dopewars |
CVE #(s): | CVE-2009-3591
|
| Created: | October 14, 2009 |
Updated: | October 14, 2009 |
| Description: |
Dopewars 1.5.12 has a denial of service vulnerability in the face of a "REQUESTJET" message with an invalid location. |
| Alerts: |
|
Comments (none posted)
drupal-service_links
| Package(s): | drupal-service_links |
CVE #(s): | CVE-2009-3648
|
| Created: | October 14, 2009 |
Updated: | October 14, 2009 |
| Description: |
Drupal's "service links" module does not properly validate user-supplied input, leading to a cross-site scripting vulnerability; see this advisory for more information. |
| Alerts: |
|
Comments (none posted)
graphicsmagick: multiple vulnerabilities
| Package(s): | graphicsmagick |
CVE #(s): | CVE-2007-1667
CVE-2007-1797
CVE-2007-4985
CVE-2007-4986
CVE-2007-4988
CVE-2008-1096
CVE-2008-3134
CVE-2008-6070
CVE-2008-6071
CVE-2008-6072
CVE-2008-6621
CVE-2009-1882
|
| Created: | October 8, 2009 |
Updated: | June 1, 2010 |
| Description: |
graphicsmagick has a long list of vulnerabilities. From the Debian
alert:
Several vulnerabilities have been discovered in graphicsmagick, a
collection of image processing tool, which can lead to the execution
of arbitrary code, exposure of sensitive information or cause DoS.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-1667:
Multiple integer overflows in XInitImage function in xwd.c for
GraphicsMagick, allow user-assisted remote attackers to cause a
denial of service (crash) or obtain sensitive information via
crafted images with large or negative values that trigger a
buffer overflow. It only affects the oldstable distribution (etch).
CVE-2007-1797:
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted DCM image, or the colors or comments field in a
crafted XWD image. It only affects the oldstable distribution (etch).
CVE-2007-4985:
A crafted image file can trigger an infinite loop in the ReadDCMImage
function or in the ReadXCFImage function. It only affects the oldstable
distribution (etch).
CVE-2007-4986:
Multiple integer overflows allow context-dependent attackers to execute
arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file,
which triggers a heap-based buffer overflow. It only affects the
oldstable distribution (etch).
CVE-2007-4988:
A sign extension error allows context-dependent attackers to execute
arbitrary code via a crafted width value in an image file, which
triggers an integer overflow and a heap-based buffer overflow. It
affects only the oldstable distribution (etch).
CVE-2008-1096:
The load_tile function in the XCF coder allows user-assisted remote
attackers to cause a denial of service or possibly execute arbitrary
code via a crafted .xcf file that triggers an out-of-bounds heap write.
It affects only oldstable (etch).
CVE-2008-3134:
Multiple vulnerabilities in GraphicsMagick before 1.2.4 allow remote
attackers to cause a denial of service (crash, infinite loop, or
memory consumption) via vectors in the AVI, AVS, DCM, EPT, FITS,
MTV, PALM, RLA, and TGA decoder readers; and the
GetImageCharacteristics function in magick/image.c, as reachable
from a crafted PNG, JPEG, BMP, or TIFF file.
CVE-2008-6070:
Multiple heap-based buffer underflows in the ReadPALMImage function in
coders/palm.c in GraphicsMagick before 1.2.3 allow remote attackers
to ca use a denial of service (crash) or possibly execute arbitrary
code via a crafted PALM image.
CVE-2008-6071:
Heap-based buffer overflow in the DecodeImage function in
coders/pict.c in GraphicsMagick before 1.1.14, and 1.2.x before
1.2.3, allows remote attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a crafted PICT image.
CVE-2008-6072:
Multiple vulnerabilities in GraphicsMagick allow remote attackers to
cause a denial of service (crash) via vectors in XCF and CINEON images.
CVE-2008-6621:
Vulnerability in GraphicsMagick allows remote attackers to cause a denial
of service (crash) via vectors in DPX images.
CVE-2009-1882:
Integer overflow allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted TIFF file,
which triggers a buffer overflow. |
| Alerts: |
|
Comments (none posted)
mimetex: multiple vulnerabilities
| Package(s): | mimetex |
CVE #(s): | CVE-2009-1382
CVE-2009-2459
|
| Created: | October 8, 2009 |
Updated: | March 25, 2013 |
| Description: |
From the Ubuntu alert:
Chris Evans discovered that mimeTeX incorrectly handled certain long tags.
An attacker could exploit this with a crafted mimeTeX expression and cause
a denial of service or possibly execute arbitrary code. (CVE-2009-1382)
Chris Evans discovered that mimeTeX contained certain directives that may
be unsuitable for handling untrusted user input. This update fixed the
issue by disabling the \input and \counter tags. (CVE-2009-2459) |
| Alerts: |
|
Comments (none posted)
netpbm: denial of service
| Package(s): | netpbm |
CVE #(s): | CVE-2008-4799
|
| Created: | October 9, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Mandriva advisory:
pamperspective in Netpbm before 10.35.48 does not properly calculate
a window height, which allows context-dependent attackers to cause a
denial of service (crash) via a crafted image file that triggers an
out-of-bounds read. |
| Alerts: |
|
Comments (none posted)
opensaml2: interpretation conflict
| Package(s): | opensaml2 shibboleth-sp2 |
CVE #(s): | |
| Created: | October 13, 2009 |
Updated: | October 14, 2009 |
| Description: |
From the Debian advisory:
In DSA-1895-1, the xmltooling package was updated to address several
security issues. It turns out that the change related to SAML
metadata processing for key constraints caused problems when applied
without the matching changes in the opensaml2 and shibboleth-sp2
packages. |
| Alerts: |
|
Comments (none posted)
phpmyadmin: cross-site scripting, SQL injection
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | October 13, 2009 |
Updated: | October 16, 2009 |
| Description: |
From the Mandriva advisory:
This is a security release for XSS and SQL injection problems.
This upgrade provides phpmyadmin 2.11.9.6 for CS4 and 3.2.2.1 for
MES5 which is not vulnerable for these security issues. |
| Alerts: |
|
Comments (none posted)
python-django: directory traversal
| Package(s): | python-django |
CVE #(s): | CVE-2009-2659
|
| Created: | October 13, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Mandriva update:
The Admin media handler in core/servers/basehttp.py in Django 1.0
and 0.96 does not properly map URL requests to expected static media
files, which allows remote attackers to conduct directory traversal
attacks and read arbitrary files via a crafted URL. |
| Alerts: |
|
Comments (none posted)
python-django: denial of service
| Package(s): | python-django |
CVE #(s): | CVE-2009-3695
|
| Created: | October 13, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Mandriva advisory:
Algorithmic complexity vulnerability in the forms library in Django
1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause
a denial of service (CPU consumption) via a crafted (1) EmailField
(email address) or (2) URLField (URL) that triggers a large amount
of backtracking in a regular expression. |
| Alerts: |
|
Comments (none posted)
sympa: symlink attack
| Package(s): | sympa |
CVE #(s): | CVE-2008-4476
|
| Created: | October 9, 2009 |
Updated: | October 14, 2009 |
| Description: |
From the Mandriva advisory:
sympa.pl in sympa 5.3.4 allows local users to overwrite arbitrary
files via a symlink attack on a temporary file. NOTE: wwsympa.fcgi
was also reported, but the issue occurred in a dead function, so it
is not a vulnerability. |
| Alerts: |
|
Comments (none posted)
wireshark: denial of service
| Package(s): | wireshark |
CVE #(s): | CVE-2009-3241
|
| Created: | October 13, 2009 |
Updated: | December 1, 2009 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerability in the OpcUa (OPC UA) dissector in Wireshark
0.99.6 through 1.0.8 and 1.2.0 through 1.2.1 allows remote attackers
to cause a denial of service (memory and CPU consumption) via malformed
OPCUA Service CallRequest packets (CVE-2009-3241).
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
