|
Vulnerability WebWasher Affected WebWasher Description James Nickson found following. WebWasher is a proxy server for Win/xx systems with 3 million users (not downloads according to their web site - 9 OCT 00). Webwasher filters graphics and defeats "webbugs" and double-click commercials, enhancing privacy and bandwidth efficiency. With the webbug publicity WebWasher's download rate seems to be accelerating. The problem is that it establishes a general http proxy server that anyone connected may use. This may present an opportunity for anonymous browsing for people with nefarious purposes and a possible problem for the evidentiary credibility of Carnivore/Omnivore/NoSuchAnimal records if the target has allowed proxy use by mistake or design. This is neither a WebWasher design nor implementation problem, WebWasher has more than met standards by having a click the box to allow/disallow server use and it apparently defaults to disallow. However with an increasing number of home networks many will "allow server" to let family members share a high speed line. Again this is not a problem if a firewall has been correctly configured. But home network firewalls are least likely to be configured correctly. Ergo: There is likely to be a significant number of SOHO networks with wide open proxy servers. There is likely to be an increase in probes on 8080 and an increase in anonymous browsing. Does this work? Of course it does, it is straightforward TCP/IP proxy use. Besides James stripped his firewall off one system, call it system A, set WebWasher to serve and attached to the net. Then he dialed another system, B, into a different ISP and directed Netscape to use A's temporary IPAddr.:8080 for a proxy and then went to Yahoo. When he was getting Yahoo on B there was activity on system A's modem and when he was not - there was no activity. James did not snif-log to force the proof, but all the signs are that the proxy mechanism worked just as it always does and dual ISP connections for anonymous surfing are quite feasible if not easy. It remains an exercise for the reader to use EQL (or is it EQU?) to attach to several proxies simultaneously so as to avoid detection by multiplexed trickle bandwidth stealing. It would be very interesting to have samples from a DSL provider testing the percentage of users who were making a proxy server available to general use. Perhaps a cable company or MCI could enlighten us on the degree of the problem by sampling their employees' home systems. Solution Just a wild guess but maybe because no matter how you slice it the program is still a proxy server. With "use as a server" unset it's just no longer accepting connections from anything but localhost.