2007-11-01
Abstract
The popularity of anonymous proxies is rising rapidly, as is the number of sites offering anonymous proxy services, but what impact do they have on corporate security? Rony Michaely explains the risks.
Copyright © 2007 Virus Bulletin
Anonymous proxies emerged as a result of the ‘fighting Internet censorship’ movement and have grown to become one of the leading security threats to corporations, educational institutions and other organizations, as well as end-users worldwide.
The past year has witnessed a dramatic increase in the number of anonymous proxy services on offer. The phenomenon started in 2002 with a few dozen sites offering users anonymous access to Internet resources, and now over 100,000 registered websites and an estimated 300,000 private, home-based websites offer anonymity services.
The main reason for this dramatic increase is that there has been an increase in the number of users desiring such sevices. Many business-minded individuals have seized the opportunity to make money through charging users a monthly fee for anonymity services. Another reason for the increase in these services relates to technology. Software running on proxy anonymizer sites has become open source, making web-based proxies available to anyone who wants to access them. This new open-source approach gives even relatively non-technical users the ability to create anonymous proxies on the fly. These proxies are then placed on newly created or home-based websites, bypassing Internet filters.
Anonymous proxies are probably the most popular and effective way for users to bypass Internet filters. Appearing as an unblocked web page, a proxy anonymizer site allows a user to enter any URL into a form. When the form is submitted, the proxy server retrieves the web page even if it is blocked by the organization’s Internet filter.
Access to open-source anonymous proxies is based on two main methods:
CGI-proxy. Through a CGI Script, users can retrieve any resource that is accessible from the server on which it runs. When an HTML resource is retrieved, it is modified so that all links in it refer back to the same proxy, including images and form submissions. Configurable options include text-only support, SSL support, selective cookie and script removal, simple ad filtering, access restriction by server, and custom encoding of target URLs and cookies.
PHP-proxy. A web HTTP proxy programmed in PHP can easily be installed on any PHP-enabled web server. It allows users to browse through the web server itself as a proxy for bypassing firewalls and other content filter restrictions. PHP-proxy uses a web interface that is very similar to the popular CGI-proxy.
Anonymous proxies pose a range of risks:
In schools they allow students to access sites prohibited by their school’s Internet policy, which may be inappropriate and potentially harmful.
They expose organizations to drive-by spyware, viruses and trojans.
They expose users to identity theft, pharming and phishing attacks.
They expose organizations to information theft.
They provide anonymity for abusers of corporate resources (e.g. workers using company systems for illegal activities, posting inappropriate content etc.).
They prevent web filters from monitoring users’ online activities.
The CIPA (Children’s Internet Protection Act) is a federal law that was enacted by the American Congress in December 2000 to address concerns about access to offensive content via the Internet in schools and libraries. CIPA clearly requires schools and libraries to operate a ‘technology protection measure’ with respect to any of its computers with Internet access that ‘protects against access through such computers to visual depictions that are obscene, child pornography, or harmful to minors’. The following excerpts illustrate the growing threat of anonymous proxies from the aspect of enforcing Internet usage policy in corporations and educational institutions:
Teacher Allegedly Viewed Porn at Library (7 July 2007). ‘Tulsa County prosecutors charged William Lee Hunter Jr. on Thursday with procuring or possessing child pornography at the Central Library. Tulsa Public Schools records show that Hunter taught during the 2006–07 school year at Springdale Elementary School.’ Source: www.tulsaworld.com
Worker Fired for Viewing Porn on Job (5 July 2007). ‘A state employee who policed Internet usage by other state workers has been fired for viewing pornography on his own office computer. Thomas Rice of Grimes was fired in May from the Iowa Public Employees Retirement System, where he worked as a top-level information technology specialist. Rice’s supervisors allege that over a nine-day period in March he viewed dozens, if not hundreds, of pornographic images and movies throughout the workday.’ Source: desmoinesregister.com
Analysis of publicly available anonymous proxies found that 5% of these servers contained malicious content. Server directories were found to contain infected files including trojans, script viruses and exploits, spyware and adware.
Vulnerability analysis carried out by Aladdin CSRT on 1,000 registered anonymous proxy websites showed that 70% of these sites were vulnerable to remote code execution and cross-site scripting attacks (see Figure 2).
Vulnerabilities found on anonymous proxy sites included:
Cross-site scripting (high severity)
PHP Zend_Hash_Del_Key_Or_Index (high severity)
PHP HTML entity encoder heap overflow (high severity)
CRLF injection/HTTP response splitting (high severity)
SQL injection (high severity)
PHP version older than 4.4.1 (high severity)
Apache chunked encoding exploit (high severity)
OpenSSL ASN.1 deallocation (high severity)
SSL PCT handshake overflow (high severity)
PHP version older than 4.3.8 (medium severity)
Apache 2.x version older than 2.0.55 (medium severity)
Apache error log escape sequence injection (medium severity)
Apache Mod_Rewrite Off-By-One buffer overflow (medium severity)
PHP unspecified remote arbitrary file upload (medium severity)
Remote directory traversal (medium severity)
These vulnerabilities can potentially be exploited for malicious purposes including: remote code execution, cross-site scripting, denial of service attacks, privilege escalation and poisoning of the web cache.
The latest variants of the Storm worm launched a new kind of social-engineering attack, using spam to urge users to use online anonymity system Tor for their communications. The message contained a link to download a malicious version of Tor (see Figure 3).
Although most Internet-filtering solutions include an ‘anonymous proxy’ or ‘proxy avoidance’ category in their databases, they actually fail to block access to web-based proxies due to their list-based approach. List-based products cannot keep up with the increasing number of new proxy sites. The fact that users can easily install anonymous proxies on their private computers makes it even harder. The most crucial element that makes anonymous proxies a leading security threat and problematic for security products is the SSL support offered by many of these servers. Over 30% of the websites that offer anonymous surfing allow SSL connection.
There are several things that can be done to block access to anonymous proxies within organizations:
Analysing form methods and meta tags will prevent access to an estimated 40% of these websites.
Pattern-based detection and HTTP header analysis will catch requests for anonymous proxies on the fly, providing organizations with protection against circumvention and anonymity techniques.
Only 5% of the SSL-enabled anonymous proxies we analysed provided a valid certificate. All others presented expired, self-signed, mismatched or otherwise doubtful credentials. Validating the SSL certificate and assuring a trusted certificate issuer will prevent access to 95% of these SSL-enabled websites.
Many URL-filtering products contain an ‘uncategorized’ filter (sites that are not listed by the product). Use of this filter can prevent access to anonymous proxies installed on home computers.
The future may see a serious threat as a result of the continued growth of malicious anonymous proxies. The popularity of anonymous proxies is rising rapidly and the number of websites offering anonymous proxy services is increasing dramatically, bringing with it a growing concern in the form of high severity vulnerabilities on most of these sites. Phishing and social-engineering-based attacks aiming to lure users to use or install anonymous proxy services will increase exponentially. Unfortunately, relying on list-based and reactive security systems and continually chasing updates will prove increasingly unreliable.