Anonymizer.com Might Reveal Your IP (Double Proxy)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Network Enabled

Discount: SecuriTeam5_SANS

Promo With Us

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner
Scanner Review
Fuzzer Review
Web Scanner Review

The Anonymizer.com service sometimes reveals the true IP of the requesting end-user, due to inadequate filtering of incoming HTTP requests.

Credit:
The information has been provided by Klaxon.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

If your ISP utilizes a transparent proxy it will usually attach a "Client-ip: x.x.x.x" field to all outgoing HTTP requests. The problem arises from the fact that Anonymizer will copy this field to its own HTTP request. Actually, it will pass along any field sent with your request, which makes sense for "Accept-..." and similar commands, but is obviously a bad idea for anything containing personal information.

Example:
-------------------------------------
[~]# nc -l -p 80

GET / HTTP/1.0
Host: foo.example.com
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1
Accept-Charset: iso-8859-1, utf-8;q=0.66, *;q=0.66
Accept-Encoding: identity
User-Agent: Mozilla/4.78 (TuringOS; Turing Machine; 0.0)
Client-ip: X.X.X.X <------------ BOOM!
Via: HTTP/1.1 proxy-02[XXXXXXX] (Traffic-Server/3.5.7 [XXXXXXXX])
-------------------------------------

So beware if you trust this service and there is an unknown proxy somewhere along the wire. Please note this experience was with Anonymizer.com's free service; it is unclear whether the paid service also suffers from this vulnerability.

How to check for this vulnerability:
Launch netcat on your port 80 (nc -l -p 80), telnet to www.anonymiser.com on port 80 and request your address:

[~]$ telnet www.anonymiser.com 80
Trying 168.143.112.10...
Connected to www.anonymiser.com.
Escape character is '^]'.
GET http://your.ip.goes.here HTTP/1.0
Foo-bar: it hurts

Netcat should spit this:

[~]# nc -l -p 80
GET / HTTP/1.0
Host: your.ip.goes.here
Foo-bar: it hurts
Connection: Keep-Alive

If Foo-bar is there, your Client-ip can also be there.

Solution:
This problem was fixed by the vendor.
The current version of the service is no longer vulnerable.

blog comments powered by Disqus

	Wepresent Wipg-1500 Firmware 1.0.3.7 Remote Code Execution Vulnerability
	Tcpdump Overflow Vulnerability
	Tcpdump 4.8.1 parsers Overflow Vulnerability
	Tcpdump 4.8.1 ISO CLNS Overflow Vulnerability
	Puppetlabs Mcollective-puppet-agent 1.11.0 option Execute Code Vulnerability
	Phpipam 1.2 Execute Code Cross Site Scripting Vulnerability
	Oracle Weblogic Server 10.3.6.0 takeover Remote Code Execution Vulnerability
	Oracle Universal Work Queue 12.1.1 accessible Remote Code Execution Vulnerability
	Oracle Siebel Ui Framework 16.1 update delete insert Remote Code Execution Vulnerability
	Oracle Partner Management 12.1.1 HTTP Remote Code Execution Vulnerability
	Oracle One-to-one Fulfillment 12.1.2 HTTP Remote Code Execution Vulnerability
	Oracle Mysql 5.7.16 unauthorized Remote Code Execution Vulnerability
	Oracle Marketing 12.1.1 Base Remote Code Execution Vulnerability
	Oracle JRE 1.6 web service Remote Code Execution Vulnerability
	Oracle Flexcube Universal Banking 12.2.0 Denial Of Service Vulnerability
	Oracle Flexcube Private Banking 12.0.1 CVSS Remote Code Execution Vulnerability
	Oracle Advanced Outbound Telephony 12.1.3 unauthorized Remote Code Execution Vulnerability
	Mybb Merge System 1.8.6 MyBulletinBoard Cross Site Scripting Vulnerability
	Cryptopp Crypto++ 5.6.4 octets Remote Code Execution Vulnerability
	Wireshark Overflow Vulnerability

Featured Articles

	Oracle Partner Management 12.1.1 HTTP Remote Code Execution Vulnerability
	Mp3splt 2.6.2 crafted Denial Of Service Vulnerability
	Trend Micro Smart Protection Server 3 webapps Execute Code Vulnerability
	Wordpress 4.7.1 commands Execute Code Sql Injection Vulnerability
	Oracle Istore 12.1.1 Successful Remote Code Execution Vulnerability
	Samsung Knox 1.0 Remote Code Execution Vulnerability
	Rapid7 Metasploit 4.13.0-2017012501 application Remote Code Execution Vulnerability
	Cisco IOS 15.2(2)e3 Denial Of Service Obtain Information Vulnerability
	Oracle Knowledge Management 12.1.1 critical data Remote Code Execution Vulnerability
	Siemens Sinumerik Integrate Operate Client modify Obtain Information Vulnerability
	Trend Micro Smart Protection Server 2.6 commands Execute Code Vulnerability
	Google Android 7.1.0 Mediaserver Execute Code Overflow Memory corruption Vulnerability
	Cisco Netflow Generation Appliance 1.0(2) Cross Site Scripting Vulnerability
	Adobe Acrobat Dc 15.006.30244 Execute Code Overflow Vulnerability
	Google Android 6.0.1 context Execute Code Overflow Memory corruption Vulnerability
	Cisco Unified Communications Manager 11.5(1.12000.1) Cross Site Scripting Bypass a restriction or similar Vulnerability
	Adobe Acrobat Dc 15.006.30244 Execute Code Overflow Memory corruption Vulnerability
	Oracle Marketing 12.2.6 Base Score Remote Code Execution Vulnerability
	Google Android 7 context Execute Code Overflow Memory corruption Vulnerability
	Cisco Webex Meeting Center Wbs28 Base Remote Code Execution Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs