Privoxy Proxy Authentication Credential Exposure Product: Privoxy Project Homepage: privoxy.org Advisory ID: c22-2013-01 Vulnerable Version(s): 3.0.20 (and possibly prior) Tested Version: 3.0.20-1 (tested using Debian Sid) Vendor Notification: March 6, 2013 Public Disclosure: March 11, 2013 Vulnerability Type: Insufficiently Protected Credentials [CWE-522] CVE Reference: CVE-2013-2503 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Discovery: Chris John Riley ( http://blog.c22.cc ) Advisory Details: During research into browser and proxy server handling of HTTP Response Codes, an issue with the way that Privoxy handles HTTP Response code 407 "Proxy Authentication Required" was discovered. Privoxy in versions 3.0.20 (and possibly prior) ignores the presence of "Proxy-Authenticate" and "Proxy-Authorization" headers and allows these values to be passed to and from a remote server without modification. The resulting behavior could allow a malicious websites to spoof a Proxy-Authentication response appearing to originate from the Privoxy service. The Privoxy user will then be prompted for a username and password that appears to originate from the Privoxy software. Scenario: 1) A Privoxy user visits a website using a browser of their choice 2) The remote website responds to the request with a 407 "Proxy Authentication Required" HTTP response code and the appropriate "Proxy-Authenticate: Basic" HTTP response header 3) This response is passed through the Privoxy service without modification to the users browser 4) As the browser is configured to use a proxy server, the browser believes that the upstream proxy (Privoxy) has requested authentication and prompts the user for a username and password. This prompt states that the proxy server at "127.0.0.1:8118" requires authentication (this prompt may vary if Privoxy is running on a machine other than localhost and/or on a non-default port number) 5) If the user enters a username and password, the browser will send a request through Privoxy to the remote website with a "Proxy-Authorization: XXXXXXXX" HTTP request header (where XXXXXXX is a base64 encoded version of the username and password the user entered at the browsers proxy authentication prompt) 6) The remote website receives this header and can store or re-use these captured credentials Proof of Concept: http://c22.cc/POC/c22-2013-01.php The above URL will respond with a "Proxy-Authenticate: basic" header when a request is received that does no contain a "Proxy-Authorization" header. This will prompt the users browser to request a username/password from the user. If you enter a value in the username/password box and click ok, it will send a Base64 encoded version to the remote website (the server will display the response headers at the bottom of the resulting page under request headers (one of the values will be "Proxy-Authorization" with a base64 encoded version of the entered username/password). For a full walkthrough it is suggested to capture this in your favourite packet capture program and walk through the requests to view the entire process. Note --> The above POC does not store any data sent to the server, however it is suggested to use bogus credentials if testing this proof of concept. Solution: The following solution was suggested and implemented in Privoxy 3.0.21 stable. Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentionally allows malicious sites to trick the user into providing it with login information. References: Privoxy 3.0.21 ChangeLog --> http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup Vulnerability Timeline: March 5, 2013 20:00 - Initial discovery of vulnerability March 6, 2013 14:48 > Emailed Privoxy developer list to request a security contact March 6, 2013 15:26 < Received response with dedicated security contact information March 6, 2013 16:01 > Emailed details of the vulnerability to security contact March 6, 2013 17:19 < Received response acknowledging issue. Fix indicated in upcoming release March 6, 2013 18:38 > Acknowledged receipt of email and advised of updated CVSSv2 score March 7, 2013 15:50 < Received response detailing proposed fix, including link to CVS check-in of new code March 7, 2013 18:48 > Acknowledged receipt of email March 9, 2013 16:54 > Emailed CVE number to security contact and requested information on release plans March 10, 2013 14:28 < Received confirmation of release timeline March 10, 2013 14:58 - Release of Privoxy 3.0.21 stable March 11, 2013 07:45 - Release of advisory -- -- • Chris John Riley • • http://blog.c22.cc • -- ------------------------------------------ All emails ROT-26 encrypted ------------------------------------------