Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hackerone #1377864 - CNAME Uncloacking in SOCKS5 protocol #19070

Closed
antonok-edm opened this issue Oct 28, 2021 · 9 comments · Fixed by brave/brave-core#10742
Closed

hackerone #1377864 - CNAME Uncloacking in SOCKS5 protocol #19070

antonok-edm opened this issue Oct 28, 2021 · 9 comments · Fixed by brave/brave-core#10742

Comments

@antonok-edm
Copy link
Collaborator

https://hackerone.com/reports/1377864

@stephendonner
Copy link

stephendonner commented Nov 2, 2021

Verified PASSED using

Brave 1.33.51 Chromium: 95.0.4638.69 (Official Build) nightly (x86_64)
Revision 6a1600ed572fedecd573b6c2b90a22fe6392a410-refs/branch-heads/4638@{#984}
OS macOS Version 11.6.1 (Build 20G224)

Steps:

  1. new profile
  2. launched Brave
  3. installed the Proxy SwitchyOmega extension
  4. set Enable CNAME uncloaking to Enabled in brave://flags
  5. In the extension settings page, set the Proxy Servers section to have a single entry, as follows:
  6. Scheme Protocol Server Port
  7. (default) SOCKS5 127.0.0.1 8081
  8. cleared the "Bypass List" section in the extension settings page
  9. ensured the above changes were applied by clicking the "Apply changes" button in the left column
  10. started a SOCKS5 proxy server on the device via: ssh 127.0.0.1 -D 8081 (after opening up Remote Login in Sharing (macOS Settings).
  11. added the following line to the Custom filters section in brave://adblock: ||dev-pages.brave.software/static/images/test.jpg
  12. visited https://test-cname.brave.software/cname-uncloaking.html
  13. used the Proxy SwitchyOmega icon in the "puzzle piece" extensions menu to enable proxy mode (should be the 3rd option).
  14. pressed the Run test button
  15. confirmed the request was allowed (green).
  16. in the "puzzle piece" extensions menu, changed to [System Proxy] and ran the test again. Confirmed the request was blocked (red).
  17. in the "puzzle piece" extensions menu, changed to [Direct] and run the test again. Confirmed the request was blocked (red).
example example example example example example
Screen Shot 2021-11-02 at 10 47 03 AM Screen Shot 2021-11-02 at 10 41 07 AM Screen Shot 2021-11-02 at 10 42 02 AM Screen Shot 2021-11-02 at 10 43 04 AM Screen Shot 2021-11-02 at 10 43 18 AM Screen Shot 2021-11-02 at 10 43 32 AM

Verified PASSED using

Brave 1.33.95 Chromium: 96.0.4664.45 (Official Build) dev (64-bit)
Revision 76e4c1bb2ab4671b8beba3444e61c0f17584b2fc-refs/branch-heads/4664@{#947}
OS Linux

Steps:

  1. new profile
  2. launched Brave
  3. installed the Proxy SwitchyOmega extension
  4. enabled cname-uncloaking via brave://flags
  5. In the extension settings page, set the Proxy Servers section to have a single entry, as follows:
    Scheme Protocol Server Port
    (default) SOCKS5 127.0.0.1 8081
  6. cleared the "Bypass List" section in the extension settings page
  7. ensured the above changes were applied by clicking the "Apply changes" button in the left column
  8. started a SOCKS5 proxy server on the device via: ssh 127.0.0.1 -D 8081 (after opening up Remote Login in Sharing (macOS Settings).
  9. added the following line to the Custom filters section in brave://adblock: ||dev-pages.brave.software/static/images/test.jpg
  10. visited https://test-cname.brave.software/cname-uncloaking.html
  11. used the Proxy SwitchyOmega icon in the "puzzle piece" extensions menu to enable proxy mode (should be the 3rd option).
  12. pressed the Run test button
  13. confirmed the request was allowed (green).
  14. in the "puzzle piece" extensions menu, changed to [System Proxy] and ran the test again. Confirmed the request was blocked (red).
  15. in the "puzzle piece" extensions menu, changed to [Direct] and run the test again. Confirmed the request was blocked (red).
example example example example example example example
Screen Shot 2021-12-01 at 10 53 01 AM Screen Shot 2021-12-01 at 10 58 56 AM Screen Shot 2021-12-01 at 10 53 52 AM Screen Shot 2021-12-01 at 10 54 29 AM Screen Shot 2021-12-01 at 10 55 11 AM Screen Shot 2021-12-01 at 10 59 21 AM Screen Shot 2021-12-01 at 11 07 04 AM

@stephendonner
Copy link

stephendonner commented Nov 24, 2021

Update for @brave/legacy_qa: I've tried (unsuccessfully) to get this verified on both Linux and Windows.

Linux: DNS/name resolvers seemingly return cached names, leading to the test always showing green (allowed), when in two cases it should be red (blocked) - conferred with @antonok-edm a bit on this (works for his different Arch-with-custom-networking-NAT-setup).

Windows: I've tried both 1) ShadowSocks and 2) freesshd (servers) No dice so far.

Haven't-yet tried https://github.com/jgaa/shinysocks; YMMV.

@LaurenWags
Copy link
Member

LaurenWags commented Nov 24, 2021

thanks for the update on this one @stephendonner 👍🏻

cc @rebron on this issue

@stephendonner
Copy link

Verification IN-PROGRESS using 1.35.5

Android progress-status:

  1. installed ProxyDroid: https://play.google.com/store/apps/details?id=org.proxydroid&hl=en_US&gl=US
  2. started ProxyDroid with a SOCKS5 proxy running on port 8081
  3. enabled ProxyDroid
  4. installed and launched Brave
  5. added ||dev-pages.brave.software/static/images/test.jpg to brave://adblock
  6. enabled CNAME uncloaking via brave://flags
  7. restarted Brave
  8. loaded https://test-cname.brave.software/cname-uncloaking.html and clicked on the Run test button
  9. confirmed I saw a green-background Request was allowed message beneath the above button

...and that's as far as I've gotten. Not sure what else can be tested here, from desktop's test plan.

@antonok-edm mind conferring with @samartnik @SergeyZhukovsky et al on the test plan, here? 🙏

example example example example
Screenshot_20211203-085531 Screenshot_20211203-090234 Screenshot_20211203-110533 Screenshot_20211203-090614

@antonok-edm antonok-edm removed the OS/Android Fixes related to Android browser functionality label Dec 8, 2021
@stephendonner
Copy link

stephendonner commented Dec 10, 2021

Current status with Windows 10 attempt to verify; tested with

Brave 1.33.103 Chromium: 96.0.4664.93 (Official Build) (64-bit)
Revision 17531e0a70b4f8108f2418e8b5117f465077710b-refs/branch-heads/4664@{#1229}
OS Windows 10 Version 20H2 (Build 19042.1348)

After all of the above setup (which worked on macOS and Linux), I'm still stuck here: when using [proxy] via SwitchyOmega, I'm unable to connect to the test site (or any sites). [System Proxy] and [Direct] work, but should be showing Request was blocked.

I've confirmed that I've got Shadowsocks listening on port 8081 (via netstat -a | grep 8081) but looks like it's not forwarding the traffic.

Any ideas @antonok-edm ?

Brave

example example example example example example
19070-omega-proxy-set 19070-omega-system-proxy-set 19070-omega-proxy-direct 19070-adblock 19070-enabled-flags 19070-systemsettings

SwitchyOmega | Windows 10 | Shadowsocks listener

example example example
19070-proxyswitchyomega 19070-windows-showing-proxy 19070-netstat-port-8081

cc @brave/legacy_qa

@stephendonner
Copy link

@diracdeltas can you confirm you get similar results?

[direct-proxy] [proxy] [system-proxy]
direct-results proxy-results system-proxy

The above is with the following config:

SwitchyOmega settings SOCKS5 config
switchyomega-settings socks5server

@diracdeltas
Copy link
Member

@stephendonner yep i got those results on my windows 10 VM

@stephendonner
Copy link

@diracdeltas thanks for confirming 👍

@antonok-edm antonok-edm added QA/No and removed QA/Yes labels Dec 13, 2021
@antonok-edm
Copy link
Collaborator Author

Results above look good to me. We definitely don't want leakage outside of the proxy, which the CNAME resolver does not use for whatever reason. There are no "request blocked" results while the proxy is installed and active so this should be all set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment