User: Password:
|
|
Subscribe / Log in / New account

Security

TorProxy and Shadow

By Jake Edge
October 14, 2009

Users give up a certain level of anonymity when they browse the web. Not only do things like cookies make them less anonymous, server logs also keep a record of which IP addresses connected to them, and ISPs, companies, and others may record the destination of outbound traffic. Unlike cookies, though, there is nothing a user can do to prevent their address from being captured by endpoints or intervening routers—except by using some kind of proxy. Using Tor, for example, allows users to proxy their request through an anonymizing network so that there is no direct connection between their address and the server they are contacting. Now, through the work of Connell Gauld, Android users can also browse through Tor using TorProxy and Shadow.

There are any number of reasons that someone might want to disguise their web requests: repressive governments, potential embarrassment, hiding illegal activities, and so forth. Tor routes each request that it gets through several, randomly-chosen nodes within its network. The request eventually emerges at an exit node—which, importantly, sees the traffic in the clear—where it is handed off to the destination server.

[TorProxy]

Essentially, the only information available is that the source node connected to a Tor node, and some time later a different Tor node connected to the destination. With enough monitoring, traffic analysis might be used to determine the correspondence between those two things, but it raises the bar by quite a bit. Cookies and user logins on destination sites can also potentially pierce a user's anonymity, but those are able to be controlled by users.

TorProxy and Shadow are two free software programs for Android mobile phones that give users access to the Tor network. Both can be installed from the Android Market application. As the name implies, TorProxy is the proxy agent that sits between applications that want to anonymously use the network and the network itself, routing the traffic through Tor. Shadow uses the Android browser classes to implement a browser, but routes its requests through TorProxy.

[Shadow]

There are some questions (see the update) about the code that underlies TorProxy, so it may not, yet, be suitable for "operational" use. But, the code is free, and there have been successful efforts to get the C version of the Tor client running on Android, so it would seem likely that a secure version of TorProxy will come along.

Once installed, TorProxy can be configured to maintain a Tor connection at all times, or only on demand from applications that specifically request it, such as Shadow. Shadow has a bit of a different look from the standard Android browser, at least on startup, but it functions more or less the same. But, much like desktop Tor usage, it suffers from fairly serious delays.

[Countdown]

When first connecting, TorProxy takes roughly 30 seconds to initiate a connection. An onion logo—Tor is sometimes known as "The Onion Router"—with a countdown appears in the Android status bar. Once the connection is established, one can then surf the web. It is something of a nostalgic experience, reminding one of those halcyon days of accessing the net via 9600bps (or worse) modems.

Unfortunately, any serious attempt to anonymize traffic is going to be somewhat slow. Each hop along the way is going to add some time to the process, but each will add a bit more unpredictability as well. For those that need the anonymity that Tor can provide, however, the wait is likely worth it—the wait in a gulag or prison will likely be much longer.

Comments (4 posted)

Brief items

Walsh: Google Chrome Policy

SELinux hacker Dan Walsh looks at creating policies for the Google Chrome browser on his weblog. His posting is a detailed look at creating SELinux policy for Chrome/Chromium, and, in particular, the Chromium sandbox. "When I write new policy now, I default to permissive domains to make sure I don't blow up the user environment. I usually wait for the next version of the OS to turn permissive domains to enforcing domains. This means I will probably leave chrome_sandbox_t as a permissive domain for all of F12 and turn it enforcing in F13. This allows me to gather lots of AVC's and not force the user to disable SELinux [or] not use chrome. And hopefully allows me to write better policy. You can use the seinfo --permissive command to list all the permissive domains on your system."

Comments (35 posted)

Security reports

Urgent Django security updates released

The Django project has announced the release of a set of urgent security updates. "This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases." The vulnerability (a denial of service problem) affects any Django application running 1.0 or later and using the EmailField or URLField features.

Comments (1 posted)

New vulnerabilities

aria: buffer overflow

Package(s):aria2 CVE #(s):CVE-2009-3575
Created:October 9, 2009 Updated:January 14, 2010
Description: From the Red Hat bugzilla: Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3, 1.2.0, and other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.
Alerts:
Gentoo 201001-06 aria2 2010-01-13
Debian DSA-1957-1 aria2 2009-12-28
Fedora FEDORA-2009-10344 aria2 2009-10-09

Comments (none posted)

deltarpm: old zlib vulnerability

Package(s):deltarpm CVE #(s):
Created:October 9, 2009 Updated:October 14, 2009
Description: deltarpm prior to the current build ships with a bundled copy of zlib. This version of zlib has a known vulnerability with CVE identifier: CAN-2005-1849 This build of deltarpm patches the program to use the system zlib (which was fixed when the vulnerability was first discovered) instead of the bundled copy.
Alerts:
Fedora FEDORA-2009-10262 deltarpm 2009-10-06
Fedora FEDORA-2009-10233 deltarpm 2009-10-03
Fedora FEDORA-2009-10237 deltarpm 2009-10-03

Comments (none posted)

dopewars: denial of service

Package(s):dopewars CVE #(s):CVE-2009-3591
Created:October 14, 2009 Updated:October 14, 2009
Description: Dopewars 1.5.12 has a denial of service vulnerability in the face of a "REQUESTJET" message with an invalid location.
Alerts:
Fedora FEDORA-2009-10385 dopewars 2009-10-14

Comments (none posted)

drupal-service_links

Package(s):drupal-service_links CVE #(s):CVE-2009-3648
Created:October 14, 2009 Updated:October 14, 2009
Description: Drupal's "service links" module does not properly validate user-supplied input, leading to a cross-site scripting vulnerability; see this advisory for more information.
Alerts:
Fedora FEDORA-2009-10466 drupal-service_links 2009-10-14
Fedora FEDORA-2009-10445 drupal-service_links 2009-10-14

Comments (none posted)

graphicsmagick: multiple vulnerabilities

Package(s):graphicsmagick CVE #(s):CVE-2007-1667 CVE-2007-1797 CVE-2007-4985 CVE-2007-4986 CVE-2007-4988 CVE-2008-1096 CVE-2008-3134 CVE-2008-6070 CVE-2008-6071 CVE-2008-6072 CVE-2008-6621 CVE-2009-1882
Created:October 8, 2009 Updated:June 1, 2010
Description: graphicsmagick has a long list of vulnerabilities. From the Debian alert:

Several vulnerabilities have been discovered in graphicsmagick, a collection of image processing tool, which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-1667: Multiple integer overflows in XInitImage function in xwd.c for GraphicsMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch).

CVE-2007-1797: Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch).

CVE-2007-4985: A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch).

CVE-2007-4986: Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch).

CVE-2007-4988: A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch).

CVE-2008-1096: The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only oldstable (etch).

CVE-2008-3134: Multiple vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via vectors in the AVI, AVS, DCM, EPT, FITS, MTV, PALM, RLA, and TGA decoder readers; and the GetImageCharacteristics function in magick/image.c, as reachable from a crafted PNG, JPEG, BMP, or TIFF file.

CVE-2008-6070: Multiple heap-based buffer underflows in the ReadPALMImage function in coders/palm.c in GraphicsMagick before 1.2.3 allow remote attackers to ca use a denial of service (crash) or possibly execute arbitrary code via a crafted PALM image.

CVE-2008-6071: Heap-based buffer overflow in the DecodeImage function in coders/pict.c in GraphicsMagick before 1.1.14, and 1.2.x before 1.2.3, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PICT image.

CVE-2008-6072: Multiple vulnerabilities in GraphicsMagick allow remote attackers to cause a denial of service (crash) via vectors in XCF and CINEON images.

CVE-2008-6621: Vulnerability in GraphicsMagick allows remote attackers to cause a denial of service (crash) via vectors in DPX images.

CVE-2009-1882: Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow.

Alerts:
Oracle ELSA-2012-0301 imagemagick 2012-03-07
Fedora FEDORA-2010-0001 GraphicsMagick 2010-01-02
Fedora FEDORA-2010-0036 GraphicsMagick 2010-01-02
Debian DSA-1903 graphicsmagick 2009-10-07
Mandriva MDVSA-2009:261 graphicsmagick 2009-08-08
Mandriva MDVSA-2009:260 imagemagick 2009-08-08

Comments (none posted)

mimetex: multiple vulnerabilities

Package(s):mimetex CVE #(s):CVE-2009-1382 CVE-2009-2459
Created:October 8, 2009 Updated:March 25, 2013
Description: From the Ubuntu alert:

Chris Evans discovered that mimeTeX incorrectly handled certain long tags. An attacker could exploit this with a crafted mimeTeX expression and cause a denial of service or possibly execute arbitrary code. (CVE-2009-1382)

Chris Evans discovered that mimeTeX contained certain directives that may be unsuitable for handling untrusted user input. This update fixed the issue by disabling the \input and \counter tags. (CVE-2009-2459)

Alerts:
Fedora FEDORA-2013-3902 mimetex 2013-03-24
Fedora FEDORA-2013-3910 mimetex 2013-03-23
Fedora FEDORA-2010-6546 mimetex 2010-04-14
Fedora FEDORA-2009-10170 mimetex 2009-10-03
Fedora FEDORA-2009-10225 mimetex 2009-10-03
Debian DSA-1917-1 mimetex 2009-10-24
Ubuntu USN-844-1 mimetex 2009-10-08

Comments (none posted)

netpbm: denial of service

Package(s):netpbm CVE #(s):CVE-2008-4799
Created:October 9, 2009 Updated:December 7, 2009
Description: From the Mandriva advisory: pamperspective in Netpbm before 10.35.48 does not properly calculate a window height, which allows context-dependent attackers to cause a denial of service (crash) via a crafted image file that triggers an out-of-bounds read.
Alerts:
Mandriva MDVSA-2009:317 netpbm 2009-12-05
Mandriva MDVSA-2009:262 netpbm 2009-08-09

Comments (none posted)

opensaml2: interpretation conflict

Package(s):opensaml2 shibboleth-sp2 CVE #(s):
Created:October 13, 2009 Updated:October 14, 2009
Description: From the Debian advisory: In DSA-1895-1, the xmltooling package was updated to address several security issues. It turns out that the change related to SAML metadata processing for key constraints caused problems when applied without the matching changes in the opensaml2 and shibboleth-sp2 packages.
Alerts:
Debian DSA-1895-2 opensaml2 2009-10-09

Comments (none posted)

phpmyadmin: cross-site scripting, SQL injection

Package(s):phpmyadmin CVE #(s):
Created:October 13, 2009 Updated:October 16, 2009
Description: From the Mandriva advisory: This is a security release for XSS and SQL injection problems.

This upgrade provides phpmyadmin 2.11.9.6 for CS4 and 3.2.2.1 for MES5 which is not vulnerable for these security issues.

Alerts:
Fedora FEDORA-2009-10510 phpMyAdmin 2009-10-15
Mandriva MDVSA-2009:274 phpmyadmin 2009-10-13
Fedora FEDORA-2009-10530 phpMyAdmin 2009-10-15

Comments (none posted)

python-django: directory traversal

Package(s):python-django CVE #(s):CVE-2009-2659
Created:October 13, 2009 Updated:December 9, 2009
Description: From the Mandriva update: The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected static media files, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
Alerts:
Mandriva MDVSA-2009:276-1 python-django 2009-12-08
Mandriva MDVSA-2009:276 python-django 2009-10-13
Mandriva MDVSA-2009:275 python-django 2009-10-13

Comments (none posted)

python-django: denial of service

Package(s):python-django CVE #(s):CVE-2009-3695
Created:October 13, 2009 Updated:December 9, 2009
Description: From the Mandriva advisory: Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
Alerts:
Mandriva MDVSA-2009:276-1 python-django 2009-12-08
Debian DSA-1905-1 python-django 2009-10-10
Mandriva MDVSA-2009:276 python-django 2009-10-13

Comments (none posted)

sympa: symlink attack

Package(s):sympa CVE #(s):CVE-2008-4476
Created:October 9, 2009 Updated:October 14, 2009
Description: From the Mandriva advisory: sympa.pl in sympa 5.3.4 allows local users to overwrite arbitrary files via a symlink attack on a temporary file. NOTE: wwsympa.fcgi was also reported, but the issue occurred in a dead function, so it is not a vulnerability.
Alerts:
Mandriva MDVSA-2009:263 sympa 2009-08-09

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2009-3241
Created:October 13, 2009 Updated:December 1, 2009
Description:

From the Mandriva advisory:

Unspecified vulnerability in the OpcUa (OPC UA) dissector in Wireshark 0.99.6 through 1.0.8 and 1.2.0 through 1.2.1 allows remote attackers to cause a denial of service (memory and CPU consumption) via malformed OPCUA Service CallRequest packets (CVE-2009-3241).

Alerts:
Mandriva MDVSA-2009:270 wireshark 2009-10-12
Fedora FEDORA-2009-9837 wireshark 2009-09-24
Debian DSA-1942-1 wireshark 2009-11-29
Gentoo 200911-05 wireshark 2009-11-25
SuSE SUSE-SR:2009:016 silc-toolkit, open-iscsi, strongswan,freeswan,openswan, mutt, openldap2, cyrus-imapd, java-1_6_0-openjdk, postgresql, IBMJava2-JRE/java-1_4_2-ibm, wireshark, freeradius, dovecot 2009-10-13

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds