Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle

`# Exploit Title: Orion Elite Hidden IP Browser Pro - All Versions - Multiple Known Vulnerabilities  
# Date: 14/Jul/17  
# Exploit Author: MaXe  
# Vendor Homepage: http://www.orionbrowser.com && https://www.linkedin.com/company-beta/18034392/ && https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135  
# Software Link: Refer to IPA archive websites at your own risk  
# Screenshot: Not available - See external links for more information  
# Versions: 7.9 to 1.0  
# Tested on: iPhone 4 (7.1.2) and iPhone 4S (9.3.5)  
# CVE : N/A  
  
Orion Elite Hidden IP Browser Pro++ - Multiple Known Vulnerabilities  
(Formerly known as: Torion Secure Anonymous Browser Pro++)  
  
Versions affected:  
7.9 (02 May 2016) and all former versions dating back to 1.0 (10 August 2015)  
  
iPhone App Info - Description by Developer:   
"#1 Onion Routing Browser that protects and hides your IP (Internet Protocol) address from   
the internet for legal legitimate purposes. It is the most robust, tested and popular App on the   
App Store. Is your privacy worth cutting corners? Can you be half protected? Is it worth the   
risk? The world famous eVestigator.com.au, the Cyber Digital-Forensics Private Investigator,   
the author and enhancer of this original open browser says "not even he could hack it" and   
"I have put people behind bars just from tracing an IP before". That's straight from the Author.   
If you're thinking about investigating in an inferior product, think again!"  
  
  
External Links:  
https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135 [http://archive.is/R5jst]  
http://www.orionbrowser.com (Current package name) [http://web.archive.org/web/20160624150229/http://orionbrowser.com/ || http://archive.is/i6z60]  
http://www.torionbrowser.com (Original package name) [http://web.archive.org/web/20160314004721/https://www.torionbrowser.com/ || http://archive.is/FiHSP]  
https://www.linkedin.com/company-beta/18034392/ (Company that published the app and is responsible for maintaining it.)  
https://www.youtube.com/watch?v=MYd4_pitOjA (Video demonstration - removed by vendor 14Jul17) [http://archive.is/nHWuF - Does not contain original video]  
  
  
Credits: MaXe (@InterN0T)  
Special Thanks: The original developer (see references) for providing accurate changelogs and making known bugs public, so that users are aware of these security risks.  
  
  
-:: The Advisory - Detailed::-  
The iPhone application reviewed is vulnerable to multiple known issues.  
  
1. The Tor client embedded within the application is: 0.2.6.5-rc (released 18 Mar 2015)  
Relevant changelogs:  
- https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?h=release-0.2.6 (https://blog.torproject.org/blog/tor-0265-rc-released)  
- Potentially Applicable CVEs:  
CVE-2017-0376, CVE-2017-0375, CVE-2016-8860  
  
  
2. The OpenSSL library embedded within the application is: 1.0.2a (released 19 Mar 2015)  
Relevant changelogs:   
- https://openssl.org/news/changelog.html  
- https://www.openssl.org/news/secadv/20160503.txt << Important security advisory  
- https://www.openssl.org/news/secadv/20160922.txt << Important security advisory  
- Applicable CVEs:  
CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, CVE-2016-7052, CVE-2016-6304, CVE-2016-2183, CVE-2016-6303  
CVE-2016-6302, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2181  
CVE-2016-6306, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176, CVE-2016-0800  
CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0701, CVE-2015-3197  
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-1793, CVE-2015-3196  
  
  
3. Known bugs from the original application, by the original developer:  
- Video note: Websites using HTML5 <video> tags may leak <video>-related DNS queries and data transfer outside   
of Tor. This includes YouTube, Vimeo, and any website using iOS-compatible HTML5 video. This is due to behavior   
of the embedded QuickTime player and a comprehensive workaround has not yet been developed.  
- JavaScript blocking: The "Active Content Blocking" feature is experimental. If ACB is turned off, JavaScript   
techniques can identify what type of iOS device you are using and what version of iOS you are using, even if   
User-Agent Spoofing is enabled.  
- Geolocation blocking: Websites may use the HTML5 Geolocation API unless the "Active Content Blocking" feature   
is set to "Block All". Users should remain vigilant for any pop-ups asking for permission to access location data.  
  
Note: Please refer to the references further below, i.e. "Known Bugs".  
  
  
4. The application also sends the following HTTP request on startup to the developers website:  
http://www.orionbrowser.com/secure/ip34r.asp?guid=<INSERT GUID HERE>  
  
An example of this can be seen below:  
GET /secure/ip34r.asp?guid=<INSERT GUID HERE>&new=1 HTTP/1.1  
Host: www.orionbrowser.com  
Accept: */*  
Accept-Language: en-us  
Connection: close  
Pragma: no-cache  
User-Agent: OrionBrowser/<VERSION HERE> CFNetwork/<VERSION HERE> Darwin/<VERSION HERE>  
  
According to the developer, this is to check that the application is licensed, by sending a unique GUID over HTTP that can be tracked, every time the application is run.  
  
  
5. In addition to the above, several other links are hardcoded to use HTTP:  
__cstring:001B912A 00000033 C http://www.orionbrowser.com/secure/ip34r.asp?guid=   
__cstring:001B9443 00000028 C http://www.orionbrowser.com/secure/?tk=   
__cstring:001B94C5 0000003F C window.location.href='http://orionbrowser.com/secure/top.asp';   
__cstring:001B9504 00000042 C window.location.href='http://orionbrowser.com/secure/bottom.asp';  
__cstring:001B9546 00000040 C window.location.href='http://orionbrowser.com/secure/menu.asp';   
__cstring:001B971D 00000037 C http://www.orionbrowser.com/secure/bookmark.asp?title=   
__cstring:001B9980 00000026 C http://www.orionbrowser.com/help.html   
__cstring:001BBA84 0000001D C http://www.orionbrowser.com/   
__cstring:001BBB27 00000027 C http://www.orionbrowser.com/opensource   
  
  
6. Several embedded HTML files within the application, will also redirect to the developer's website over HTTP:  
a.html: <meta http-equiv="refresh" content="2; URL='http://www.orionbrowser.com/secure/a.html" />  
about.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/" />  
bookmark.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure/bookmark.asp" />  
help.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure" />  
startup.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure" />  
status.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure/status.html" />  
  
  
7. The current version of this iPhone app does not use "HashedControlPassword" within the TorRC file either.  
  
  
-:: Proof of Concept ::-  
The current version of this iPhone application appears to be broken, and has likely been broken for a few months.   
When the app starts up, it expects the developer's domain to provide a specific response over plain-text HTTP. The   
first request made to the developer's website is vulnerable to MITM attacks before it crashes.  
  
  
-:: Solution ::-  
1. The embedded OpenSSL library must be updated to the latest version.  
2. The embedded Tor client within the application, must be updated to the latest secure version.  
3. Users must be notified of known bugs - See references further below.  
4. All connections made to the developer's website must be over HTTPS.  
5. The application should NOT send a unique GUID to the developer's website when it runs.  
6. The application should NOT allow the user to save bookmarks on the developer's website.  
  
It is STRONGLY advised to uninstall this iPhone application immediately, if you have it installed on your phone.  
  
  
References:  
1. Original iPhone Tor browser - This has not been reviewed in depth but it has received several security updates.   
It's also free and open source: https://itunes.apple.com/us/app/onion-browser-secure-anonymous-web-with-tor/id519296448  
2. Known Bugs: https://mike.tig.as/onionbrowser/ (Refer to "Bugs, Caveats, Side Notes")  
3. Changelog for original app: https://github.com/mtigas/OnionBrowser/releases  
4. Vendor blog about app (brief): https://medium.com/@e_forensic/wannafix-proposal-by-cyber-security-expert-simon-smith-use-the-exploit-to-our-advantage-5d57e579c1b3 [http://archive.is/csSDp]  
5. Embedded file within app - originalolderlicense.html: <meta name="keywords" content="Welcome to Orion Anonymous Browser Pro - the safest anonymousbrowser on the planet">  
6. The specific Onion Browser version this application utilizes is: 1.5.12 (https://github.com/mtigas/OnionBrowser/releases/tag/v1.5.12)  
7. It is also recommended looking at the known bugs here: https://github.com/mtigas/OnionBrowser/issues  
  
Application package internal name:  
com.rplcentral.TorionBrowser  
  
Other interesting strings from the application:  
__cstring:001BC7C6 0000008B C OPENSSLDIR: \"/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk\"   
__cstring:001C5C04 00000089 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/lib/engines   
__cstring:001F2C71 0000008D C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip   
__cstring:001F2D0A 0000008E C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip6   
__cstring:001F41C5 00000094 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc-defaults  
__cstring:001F4259 0000008B C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc   
__cstring:001F87EA 00000081 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var   
__cstring:001F886B 00000085 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var/tor   
  
  
Disclosure timeline:  
01 Jul 2017 - Application security review begins.  
07 Jul 2017 - Vendor randomly pulls app.  
14 Jul 2017 - Vendor is notified of vulnerabilities.  
15 Jul 2017 - Multiple correspondence notes below:  
- Vendor responds stating the app has no actively installed users.  
- Vendor talks about having SSL/TLS on a website remediates hardcoded HTTP URLs.  
- Vendor asks for personally identifiable information (PII) in relation to InterN0T. (IPA file, receipt, apple ID, IP address, Hardware specs, etc.)  
- InterN0T responds professionally, but without providing any PII to the vendor.  
- Vendor sends a huge email with various legal threats to InterN0T.  
15 Jul 2017 - Advisory sent to The Exploit Database and all other vulnerability databases.  
  
Vendor responses:  
- First email from vendor: https://ghostbin.com/paste/5fwpb  
- Second email from vendor: https://ghostbin.com/paste/d8o7a  
- Third email from vendor: https://ghostbin.com/paste/6hc3f  
- InterN0T response: https://ghostbin.com/paste/dtzvo  
- Fourth email from vendor including various threats: https://ghostbin.com/paste/49obu  
  
  
===============================  
|| || || ||  
|| ||, , ,|| ||  
|| (||/|/(\||/ ||  
|| ||| _'_`||| ||  
|| || o o || ||  
|| (|| - `||) ||  
|| || = || ||  
|| ||\___/|| ||  
||___||) , (||___||  
/||---||-\_/-||---||\  
/ ||--_||_____||_--|| \  
(_(||)-| S123-45 |-(||)_)  
|""""""""""""""""""""""""""""|  
| You're under e-arrest mate |  
""""""""""""""""""""""""""""  
  
Brought to you by:  
_____ _ _ _ ___ _______   
|_ _| | | | \ | |/ _ \__ __|  
| | _ __ | |_ ___ _ __| \| | | | | | |   
| | | '_ \| __/ _ \ '__| . ` | | | | | |   
_| |_| | | | || __/ | | |\ | |_| | | |   
|_____|_| |_|\__\___|_| |_| \_|\___/ |_|   
  
######## EOF ########  
`