Paid Advertising
web application security lab

itms Decloaking

Another thing Jabra and I mentioned in the presentation actually dates back several months. HD Moore was talking about how someone (name is slipping my mind at the moment) had found some exploit using itms: protocol, used by iTunes, but part of it had to do with the fact that they needed to redirect off of Apple’s website to land on their payload. The redirect was eventually closed down, but it got me thinking and looking at iTunes. After about 20 minutes of looking I found a way to bypass itms’s limitations on which domain it allows you to connect to, which is a bug, but not a particularly serious one:

<iframe src=""></iframe>

So I handed it back to HD Moore and he added it as a feature to decloak a few months back. Why? Because it turns out that in specific circumstances it’s actually pretty good at decloaking people. If you are using Firefox and a proxy, it will go outside of the proxy model of the browser and use the underlying network settings of the operating system. So the first request will come from your proxy but the itms request will come from your real external IP. Add in some DNS foo to make the DNS request unique per person and you’ve got yourself a decloaking engine. You can see it on decloak if you want to take a look at it. And like before, if there is an exploit in itms where you need to include a payload into it off of Apple’s website, this is another way to do it.

I talked with Microsoft, Apple and Firefox about this and we had a very hard time talking about who owns this bug. Let’s say for a second Apple had no bug there, and it was working as intended. Who’s bug would it be? Apple for not following the proxy model? Firefox for not forcing the proxy model on all of it’s sub components OR for having it’s own unique proxy model? Or is it Microsoft who runs the entire operating system. I don’t think we ever came to a conclusion, but I’m more and more thinking it’s Firefox’s fault. They did go down the path of creating their own proxy model a long time ago (out of necessity). Now the question is, should they fix it? I for one would hate it if it got fixed. Sure, it’s horrible from a privacy perspective, but it’s great for usability. I’m constantly stuck on weird networks with weird proxy settings in the OS, and I need to get out for some reason. I think there are a lot of other people in the same boat too. So I doubt this is getting fixed any time soon.

This brought up one last conversation that I thought was worth sharing. The private browsing initiative that several browsers are undertaking at the moment really was never meant to protect users from this sort of privacy leak. It was intended to prevent wives from seeing what presents their husbands are buying them for their birthday. *cough* But maybe future versions should do a better job of this sort of privacy leaks - better integrate with Tor or something of that nature. I dunno, but it was an interesting conversation with the browser/OS/plugin guys.

5 Responses to “itms Decloaking”

  1. Wladimir Palant Says:

    Well, at least in this case it is an external application, entirely outside the browser. But what about Flash with its raw socket connections? Not only do those ignore proxy settings, I think that often it wouldn’t even be possible to run them through a proxy. So, is it Adobe’s bug or browser vendor’s or maybe a bug in the proxy implementations that don’t allow pass-through connections? Pointing fingers is certainly not going to help, the situation is only going to be solved if all the vendors involved decide to work together on a solution. But that’s just wishful thinking for a problem that nobody considers high priority.

  2. Joel Says:

    @Wladimir Palant
    I think you are mistaken with the flash proxy issue. As you mentionned Flash is considered as an external application and as such such should take into account the proxy settings made at OS levels. From my checks it seems that Flash does follow Windows-level proxy settings. If I am wrong, I’ll be happy to learn.


  3. jasmine Says:

    It’s not Firefox’s fault, otherwise it would be every 3rd party browser’s fault (Opera is the same way).
    Take also for example Quicktime; when using qtsrcdontusebrowser=true as a parameter to the object/embed of a quicktime movie, quicktime only respects the proxy settings set by the IE browser (i.e. Windows-wide network connection settings), but ignores it for firefox, opera, etc. Consider it Apple’s complicity in a microsoft conspiracy if you wish :p
    It can’t be 3rd party browser’s mistake, imho. Many of those 3rd party browsers run on a variety of platforms. For instance, Firefox and Opera both run on Linux, and Firefox can run on a multitude of other platforms. Those platforms don’t follow Microsoft’s OS-wide “network settings” model, so why should 3rd party browser’s make an exception for Windows? It should be apple’s responsibility to have their browser-specific plugins decide what settings to inherit depending on the browser that invokes it, not the Operating system. There will always be ways to circumvent browser’s settings. Standard RTSP/MMS protocols cannot be encapsulated through HTTP proxies, rendering plugins like realplayer and windows media player (and many others) as tools for this type of leakage. Quicktime on the other hand breaks standards by trying to encapsulate rtsp through HTTP, which wouldn’t work for any standard RTSP/1.0 server. Flash & Java & Silverlight also support socket connections, and it’s up to the developer of the application whether to take advantage of such features to force the revealing of the end-user’s real identity.
    just my 2 cents..

  4. jasmine Says:

    an additional note, on Adobe Acrobat, as it falls victim to the same logic as itunes/quicktime plugins (respecting only IE / Windows “networks settings” model)

    Consider a webpage (acrobat.html) with the following embed in it:

    If opened in IE (with HTTP proxy set), IE will download the pdf via proxy, invoke acrobat, and acrobat will access the collaboration WebDAV link via proxy

    However, if the proxy is set elsewhere (example firefox), the browser downloads the pdf, invokes acrobat, then acrobat raises and error dialog “This Operation is now allowed”, and upon clicking OK (the only option), Acrobat makes a direct connection to the server, revealing the real IP..

    tada :)

  5. jasmine Says:

    Sorry, please delete my last comment as it included link to a private site

    the embed code got stripped out in my previous comment, here it is again, angle brackets html-entitized :)

    <embed src=”test.pdf#toolbar=0&navpanes=0&scrollbar=0&collab=DAVFDF@” width=”500″ height=”375″>