[123Privacy] Findnot.com DNS Privacy Breach, DNS Spoofing Exposure, and ISP Monitoring Vulnerability

["123 Privacy Advisories" <123privacy_advisory () mailvault com>]

-----BEGIN PGP SIGNED MESSAGE-----

Findnot.com DNS Privacy Breach, DNS Spoofing Exposure, and ISP
Monitoring Vulnerability

Advisory ID:    FN15398

Release Date:   2006-04-18

Last Update:    2006-04-18

Severity:       Critical

IMPACT:
        
Website locations visited are viewable by users on local wireless
connection, local network, and ISP. User is exposed to possible
local/ISP DNS spoofing. Internet sites accessed easily monitored by ISP
operating DNS server.

Where:          From localnetwork, and from remote servers.

Solution Status:        Unpatched

Software:       Findnot.com's SSH Proxy Service.

Related Advisories:     FN15294

DESCRIPTION:

Several vulnerabilities have been reported in Findnot.com's SSH Proxy
Service which can cause all DNS requests for lookup of sites visited to
be resolved using local DNS servers.

* Exposing the location of all sites visited to local wireless, network,
sysadmin snoopers or to an ISP that is monitoring their DNS server.

* A local attacker may also spoof a DNS request and send the user to a
site specifically tailored for a hack/phishing attempt.

This vulnerability is caused due to a problem with the SSH Proxy
infrastructure using only a SOCKS server which for most all Internet
applications causes DNS leaks. The issue of SOCKS servers leaking DNS
requests is well known and documented on the net as a Google search for
"socks dns leaks" will reveal.

The vulnerability has been reported by many users of the Findnot.com
system while sniffing their network connections while using the
service.

These vulnerabilities nullify the specifically claimed features of the
service: "Protects you from DNS spoofing", "When on our system, you are
using our secured DNS system" and "Our encryption guards all your data
from the time it leaves your computer until it reaches our server."

VALIDATION:

Load etherape and sniff on your local internet connection interface.
Connect to the Findnot.com SSH Proxy service, configure IE to use the
Proxies. Load up a few Internet Explorer windows. Visit a few websites
you normally visit. Notice your DNS queries are bypassing your encrypted
SSH Proxy connection and traveling directly to your local ISP or gateway
machine revealing what sites you are accessing to the operator of the
DNS server or anyone inbetween that may also be running etherape or
another sniffer.

SUGGESTED SOLUTION:

1) When Findnot.com SSH Proxy service is used, NEVER use an application
directly pointing to the local SOCKS tunnel.
2) Use SOCKSCAP software that supports 'remote dns lookups'.
3) SOCKSIFY all applications you desire to use with the service with the
SOCKSCAP software.

or

Install Privoxy HTTP proxy, chain it to the Findnot.com SSH Proxy SOCKS
connection, and only use applications that support HTTP Proxy and point
them to the Privoxy software.

or

ONLY use Firefox 1.5.0.2, go to about:config and set
network.proxy.socks_remote_dns to true. This method only protects
Firefox from the problem.

Endnote:        Please note that for readability we have adopted a 'Secunia
Advisories' like format but that this is not a Secunia advisory.

-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com

iQA/AwUAREbrhJmYJws4aHIREQIDGgCfWYqm7VUB+XQj8So0HdoADJ/co7YAoJTj
Iv2es2j7tNOh0RB+l2nbyxM8
=3AFN
-----END PGP SIGNATURE-----


PGP Public Key for "123 Privacy Advisories" <123privacy_advisory () mailvault com>:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: MailVault 2.2 from MailVault Corporation http://www.mailvault.com

mQGiBERG5GoRBADP1Tumaiq2mSrqSjwXOW6Y3bye9qbBMbNYrpJe9yF8uVY1vhAV
S5yDarhIVU7k0Km7Rq0GIk369sO7J0q78kcAd2QVX15lBqHbryjXqN7ev3aFzIFz
t96sp5URkNz4c5/vuLHPOaLpfXdEFyr8/idtzRoMcRqw0gtl7OL8zUv+/QCg/xSG
BsuKgIir5DFk3m3vahFeksMD/jIhr/yHbT4ab9VgZL8qHILQS4ZlpxX+7HK+ntOv
f9rHt5VXZwI/v+VA6oxouSgFp6KOmPURj4yjT92wfNgOygMh5/yZj5rbfRZowDvh
zu8/DV3XwuVb+ymyRFAXq7GzsAeDxRwIrEnsz2wUEN+NOMu+lcVSPpAqy1p8d4h4
lMRIA/9lBQme7kzNAytBoHdmtMz+4MSYJFg4qehGodvbRP1oyzWDEZGN7iAVqOvn
rs8ldUu1I/a0gjis4uRqmd9AVtcuJpxFMESPtzq1y0ePEko+yXJsrOJFfjTYQe31
WXnT6y0GJUSHXbTcaVMmq0bGowfMhEIgnp1X+qLkzsp+X12UPLQ8IjEyMyBQcml2
YWN5IEFkdmlzb3JpZXMiIDwxMjNwcml2YWN5X2Fkdmlzb3J5QG1haWx2YXVsdC5j
b20+iQBOBBARAgAOBQJERuRqBAsDAQICGQEACgkQmZgnCzhochFTsgCgtFNgT+MD
xceR561C3T9ZjHJ+EGgAnRp//iVsm1OugQVahOtFnwNZNhaDuQQNBERG5GoQEAD5
GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nGydx6C6zkP+NGlLYwSlPXfAIWSIC1
FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YXHFHYUMoiV0MpvpXoVis4eFwL2/hM
TdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+nQ0YIxswdd1ckOErixPDojhNnl06S
E2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+i
AFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3k
XXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadW
oxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeS
Wc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0
iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF04
0zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQ
ClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6z3WFwACAg//ROHp1o+CXwk83ndQ
JJrnAvoMBIkJU+dokEX5it+IAy2rXfhMCnSwX6M5AJ23iFptmgvQYb6rzNyjhEHi
7nhYTw3RF5cIu4VELvD8/FTAxeMF9ik/dk+pRCbTQs4MeHUMPZlRECPb3vmCDIee
eCYvlmVkEfyMPjQ/uogKp4nI++0clsruK9mfNffgzC/BJu5rhx6J5JtnpJ7rwr26
BwgvhZc66CjIUX6izJjhlFMKmzckX7/UKkN4FJtHANfkBZkW2DxIx1Jv/MHgtKuc
N0Wpfcuqg2q9YIFgWXubn8oZ1cTZn1o5ThLXjDUDTGhN9vZb2y2HoU5qNFHtBTlC
IJo92lWNjm9V6xkZ6y8NGxeSwoic9pyszDShs/Sc8lWBChaD5sYCzlqjX8xkieRu
aroPU9+FNYcpeXvgSYVqO+TinK3U4eLY8Cb85p1JC8GGcBiJ7M4Ta+qv6xx6loOM
3KtkwFjzLC1m7oH+VSQOa/KBmNAdysHqASYrm9Jkf7hHHtBQBCLM01SvXhrQyr/W
rzk6XdSluJKfyOCXPRDZrCxEAeYXNFl8R89gvZa0xhbaUf8/eWEvoqLDCgP+9YTL
ktvm8JRvTmOQn4QKQ0jyLMe6tx2Ks64KPCdOv32UARfk662FFfPGTtZECWsToyck
wH0FwgEmQknpYwyHcLh0125OnGGJAEYEGBECAAYFAkRG5GoACgkQmZgnCzhochHo
tACg64TXmnTUP9+N6MafC7j1rY8OWaUAnA+WrgTWOXlK8joVeQj7WZjKifTf
=F3GJ
-----END PGP PUBLIC KEY BLOCK-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/