First chapter in security audit series released

Opera security team discloses multiple flaws in open source web proxy, Privoxy

Opera has publicly disclosed six serious vulnerabilities that were discovered in a security audit of Privoxy, the open source web proxy software.

Opera, the developer of a Chromium-based browser, has begun a series of blog posts, the first written by security engineer Joshua Rogers, to examine the security posture of today’s open source proxies.

The first investigation cantered around Privoxy, released in 2001 and described as a “non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious internet junk”.

Privoxy was once a primary way to enter the Tor network and is still recommended by the Tor Project.

Hot fuzz

The Opera security team performed a fuzzing assessment, in which automated software can be used to generate salvos of unexpected, random, or invalid inputs to applications under test.

This type of exercise can reveal errors in how data is handled. And if a program is stressed to the point of a system crash, researchers can then trace the issue to find vulnerable elements that require fixing.

RELATED Google launches Fuzzilli grant program to boost JS engine fuzzing research

Opera used the open source proxy’s own fuzzing framework, alongside partial parsing with a separator, during the audit – a decision the organization says meant they “were able to fuzz Privoxy more similarly to how it would be run in a real-world setting”.

The vulnerabilities found in Privoxy, versions before 3.0.32, were:

  • CVE-2021-20276: Buffer overflow in pcre_compile(), leading to denial of service (DoS).
  • CVE-2021-20217: An assertion failure triggered by a crafted CGI request causing DoS.
  • CVE-2021-20272: Another assertion issue in the config gateway that could cause system crashes.
  • CVE-2021-20273: If Privoxy is toggled off, DoS can occur via a crafted CGI request.
  • CVE-2021-20275: A invalid read in chunked_body_is_complete() could cause a crash.
  • CVE-2021-20274: A Null-pointer dereference problem that can lead to a system crash.

The majority of the issues were present in the proxy’s internal configuration gateway, a technology used to alter Privoxy settings during a browser session without accessing the main server.

This is possible by visiting http://p.p/ or on most setups.

Catch up on the latest browser security news

Speaking to The Daily Swig, Rogers explained that a common setup is the “pi-hole”, the use of Privoxy to block adverts that trigger JavaScript, as well as a means to access the Tor anonymity network without the Tor browser.

Breaking privacy

“Being able to crash or cause any security issue for Privoxy uses, via a website on the darknet (within the context of Tor), or being able to cause damage to users blocking ads using Privoxy (within the context of some ad network) is a very lucrative use case,” Rogers commented.

“Specifically for Privoxy, given it’s designed for privacy, breaking its security is a fairly real-world implication in of itself.”

During fuzzing, Opera also found five other non-security bugs including undefined behavior, uninitialized memory reads, and two issues in Privoxy’s own “fuzzing mode” code.

Fabian Keil, the developer of Privoxy, has resolved the flaws, with fixes available through patches bundled with the latest (stable) version of the technology, Privoxy v.3.0.32.

Opera selected Pivoxy due to its small and simple codebase. The software developer intends to release research into more complex proxies, in the near future. Stay tuned.

RELATED All major desktop browsers vulnerable to tracking flaw that can bypass privacy tools – research