A security advisory for the Orion/Torion iOS app has recently been released to
the public.
The developer basically took Mike Tigas' iOS app and introduced several
vulnerabilities to it that could be used to track users, and the developer also
forgot to mention existing vulnerabilities that could also be used to identify
users.
Last but not least it also contains several known issues in relation to the
embedded Tor client and OpenSSL libraries.
The advisory has been attached to this email, and can also be found on the Full
Disclosure mailing list and various other websites.
# Exploit Title: Orion Elite Hidden IP Browser Pro - All Versions - Multiple
Known Vulnerabilities
# Date: 14/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: http://www.orionbrowser.com &&
https://www.linkedin.com/company-beta/18034392/ &&
https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135
# Software Link: Refer to IPA archive websites at your own risk
# Screenshot: Not available - See external links for more information
# Versions: 7.9 to 1.0
# Tested on: iPhone 4 (7.1.2) and iPhone 4S (9.3.5)
# CVE : N/A
Orion Elite Hidden IP Browser Pro++ - Multiple Known Vulnerabilities
(Formerly known as: Torion Secure Anonymous Browser Pro++)
Versions affected:
7.9 (02 May 2016) and all former versions dating back to 1.0 (10 August 2015)
iPhone App Info - Description by Developer:
"#1 Onion Routing Browser that protects and hides your IP (Internet Protocol)
address from
the internet for legal legitimate purposes. It is the most robust, tested and
popular App on the
App Store. Is your privacy worth cutting corners? Can you be half protected? Is
it worth the
risk? The world famous eVestigator.com.au, the Cyber Digital-Forensics Private
Investigator,
the author and enhancer of this original open browser says "not even he could
hack it" and
"I have put people behind bars just from tracing an IP before". That's straight
from the Author.
If you're thinking about investigating in an inferior product, think again!"
External Links:
https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135
[http://archive.is/R5jst]
http://www.orionbrowser.com (Current package name)
[http://web.archive.org/web/20160624150229/http://orionbrowser.com/ ||
http://archive.is/i6z60]
http://www.torionbrowser.com (Original package name)
[http://web.archive.org/web/20160314004721/https://www.torionbrowser.com/ ||
http://archive.is/FiHSP]
https://www.linkedin.com/company-beta/18034392/ (Company that published the app
and is responsible for maintaining it.)
https://www.youtube.com/watch?v=MYd4_pitOjA (Video demonstration - removed by
vendor 14Jul17) [http://archive.is/nHWuF - Does not contain original video]
Credits: MaXe (@InterN0T)
Special Thanks: The original developer (see references) for providing accurate
changelogs and making known bugs public, so that users are aware of these
security risks.
-:: The Advisory - Detailed::-
The iPhone application reviewed is vulnerable to multiple known issues.
1. The Tor client embedded within the application is: 0.2.6.5-rc (released 18
Mar 2015)
Relevant changelogs:
- https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?h=release-0.2.6
(https://blog.torproject.org/blog/tor-0265-rc-released)
- Potentially Applicable CVEs:
CVE-2017-0376, CVE-2017-0375, CVE-2016-8860
2. The OpenSSL library embedded within the application is: 1.0.2a (released 19
Mar 2015)
Relevant changelogs:
- https://openssl.org/news/changelog.html
- https://www.openssl.org/news/secadv/20160503.txt << Important security
advisory
- https://www.openssl.org/news/secadv/20160922.txt << Important security
advisory
- Applicable CVEs:
CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, CVE-2016-7052, CVE-2016-6304,
CVE-2016-2183, CVE-2016-6303
CVE-2016-6302, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178,
CVE-2016-2179, CVE-2016-2181
CVE-2016-6306, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109,
CVE-2016-2176, CVE-2016-0800
CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702,
CVE-2016-0701, CVE-2015-3197
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-1793, CVE-2015-3196
3. Known bugs from the original application, by the original developer:
- Video note: Websites using HTML5 <video> tags may leak <video>-related DNS
queries and data transfer outside
of Tor. This includes YouTube, Vimeo, and any website using iOS-compatible
HTML5 video. This is due to behavior
of the embedded QuickTime player and a comprehensive workaround has not yet
been developed.
- JavaScript blocking: The "Active Content Blocking" feature is experimental.
If ACB is turned off, JavaScript
techniques can identify what type of iOS device you are using and what
version of iOS you are using, even if
User-Agent Spoofing is enabled.
- Geolocation blocking: Websites may use the HTML5 Geolocation API unless the
"Active Content Blocking" feature
is set to "Block All". Users should remain vigilant for any pop-ups asking
for permission to access location data.
Note: Please refer to the references further below, i.e. "Known Bugs".
4. The application also sends the following HTTP request on startup to the
developers website:
http://www.orionbrowser.com/secure/ip34r.asp?guid=<INSERT GUID HERE>
An example of this can be seen below:
GET /secure/ip34r.asp?guid=<INSERT GUID HERE>&new=1 HTTP/1.1
Host: www.orionbrowser.com
Accept: */*
Accept-Language: en-us
Connection: close
Pragma: no-cache
User-Agent: OrionBrowser/<VERSION HERE> CFNetwork/<VERSION HERE>
Darwin/<VERSION HERE>
According to the developer, this is to check that the application is licensed,
by sending a unique GUID over HTTP that can be tracked, every time the
application is run.
5. In addition to the above, several other links are hardcoded to use HTTP:
__cstring:001B912A 00000033 C
http://www.orionbrowser.com/secure/ip34r.asp?guid=
__cstring:001B9443 00000028 C http://www.orionbrowser.com/secure/?tk=
__cstring:001B94C5 0000003F C
window.location.href='http://orionbrowser.com/secure/top.asp';
__cstring:001B9504 00000042 C
window.location.href='http://orionbrowser.com/secure/bottom.asp';
__cstring:001B9546 00000040 C
window.location.href='http://orionbrowser.com/secure/menu.asp';
__cstring:001B971D 00000037 C
http://www.orionbrowser.com/secure/bookmark.asp?title=
__cstring:001B9980 00000026 C http://www.orionbrowser.com/help.html
__cstring:001BBA84 0000001D C http://www.orionbrowser.com/
__cstring:001BBB27 00000027 C http://www.orionbrowser.com/opensource
6. Several embedded HTML files within the application, will also redirect to
the developer's website over HTTP:
a.html: <meta http-equiv="refresh" content="2;
URL='http://www.orionbrowser.com/secure/a.html"; />
about.html: <meta http-equiv="refresh" content="0;
URL='http://www.orionbrowser.com/"; />
bookmark.html: <meta http-equiv="refresh" content="0;
URL='http://www.orionbrowser.com/secure/bookmark.asp"; />
help.html: <meta http-equiv="refresh" content="0;
URL='http://www.orionbrowser.com/secure"; />
startup.html: <meta http-equiv="refresh" content="0;
URL='http://www.orionbrowser.com/secure"; />
status.html: <meta http-equiv="refresh" content="0;
URL='http://www.orionbrowser.com/secure/status.html"; />
7. The current version of this iPhone app does not use "HashedControlPassword"
within the TorRC file either.
-:: Proof of Concept ::-
The current version of this iPhone application appears to be broken, and has
likely been broken for a few months.
When the app starts up, it expects the developer's domain to provide a specific
response over plain-text HTTP. The
first request made to the developer's website is vulnerable to MITM attacks
before it crashes.
-:: Solution ::-
1. The embedded OpenSSL library must be updated to the latest version.
2. The embedded Tor client within the application, must be updated to the
latest secure version.
3. Users must be notified of known bugs - See references further below.
4. All connections made to the developer's website must be over HTTPS.
5. The application should NOT send a unique GUID to the developer's website
when it runs.
6. The application should NOT allow the user to save bookmarks on the
developer's website.
It is STRONGLY advised to uninstall this iPhone application immediately, if you
have it installed on your phone.
References:
1. Original iPhone Tor browser - This has not been reviewed in depth but it has
received several security updates.
It's also free and open source:
https://itunes.apple.com/us/app/onion-browser-secure-anonymous-web-with-tor/id519296448
2. Known Bugs: https://mike.tig.as/onionbrowser/ (Refer to "Bugs, Caveats, Side
Notes")
3. Changelog for original app: https://github.com/mtigas/OnionBrowser/releases
4. Vendor blog about app (brief):
https://medium.com/@e_forensic/wannafix-proposal-by-cyber-security-expert-simon-smith-use-the-exploit-to-our-advantage-5d57e579c1b3
[http://archive.is/csSDp]
5. Embedded file within app - originalolderlicense.html: <meta name="keywords"
content="Welcome to Orion Anonymous Browser Pro - the safest anonymousbrowser
on the planet">
6. The specific Onion Browser version this application utilizes is: 1.5.12
(https://github.com/mtigas/OnionBrowser/releases/tag/v1.5.12)
7. It is also recommended looking at the known bugs here:
https://github.com/mtigas/OnionBrowser/issues
Application package internal name:
com.rplcentral.TorionBrowser
Other interesting strings from the application:
__cstring:001BC7C6 0000008B C OPENSSLDIR:
\"/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk\"
__cstring:001C5C04 00000089 C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/lib/engines
__cstring:001F2C71 0000008D C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip
__cstring:001F2D0A 0000008E C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip6
__cstring:001F41C5 00000094 C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc-defaults
__cstring:001F4259 0000008B C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc
__cstring:001F87EA 00000081 C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var
__cstring:001F886B 00000085 C
/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var/tor
Disclosure timeline:
01 Jul 2017 - Application security review begins.
07 Jul 2017 - Vendor randomly pulls app.
14 Jul 2017 - Vendor is notified of vulnerabilities.
15 Jul 2017 - Multiple correspondence notes below:
- Vendor responds stating the app has no actively installed users.
- Vendor talks about having SSL/TLS on a website remediates hardcoded HTTP URLs.
- Vendor asks for personally identifiable information (PII) in relation to
InterN0T. (IPA file, receipt, apple ID, IP address, Hardware specs, etc.)
- InterN0T responds professionally, but without providing any PII to the vendor.
- Vendor sends a huge email with various legal threats to InterN0T.
15 Jul 2017 - Advisory sent to The Exploit Database and all other vulnerability
databases.
Vendor responses:
- First email from vendor: https://ghostbin.com/paste/5fwpb
- Second email from vendor: https://ghostbin.com/paste/d8o7a
- Third email from vendor: https://ghostbin.com/paste/6hc3f
- InterN0T response: https://ghostbin.com/paste/dtzvo
- Fourth email from vendor including various threats:
https://ghostbin.com/paste/49obu
===============================
|| || || ||
|| ||, , ,|| ||
|| (||/|/(\||/ ||
|| ||| _'_`||| ||
|| || o o || ||
|| (|| - `||) ||
|| || = || ||
|| ||\___/|| ||
||___||) , (||___||
/||---||-\_/-||---||\
/ ||--_||_____||_--|| \
(_(||)-| S123-45 |-(||)_)
|""""""""""""""""""""""""""""|
| You're under e-arrest mate |
""""""""""""""""""""""""""""
Brought to you by:
_____ _ _ _ ___ _______
|_ _| | | | \ | |/ _ \__ __|
| | _ __ | |_ ___ _ __| \| | | | | | |
| | | '_ \| __/ _ \ '__| . ` | | | | | |
_| |_| | | | || __/ | | |\ | |_| | | |
|_____|_| |_|\__\___|_| |_| \_|\___/ |_|
######## EOF ########--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
