# Exploit Title: Orion Elite Hidden IP Browser Pro - All Versions - Multiple Known Vulnerabilities
# Date: 14/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: http://www.orionbrowser.com && https://www.linkedin.com/company-beta/18034392/ && https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135
# Software Link: Refer to IPA archive websites at your own risk
# Screenshot: Not available - See external links for more information
# Versions: 7.9 to 1.0
# Tested on: iPhone 4 (7.1.2) and iPhone 4S (9.3.5)
# CVE : N/A

Orion Elite Hidden IP Browser Pro++ - Multiple Known Vulnerabilities
(Formerly known as: Torion Secure Anonymous Browser Pro++)

Versions affected:
7.9 (02 May 2016) and all former versions dating back to 1.0 (10 August 2015)

iPhone App Info - Description by Developer: 
"#1 Onion Routing Browser that protects and hides your IP (Internet Protocol) address from 
the internet for legal legitimate purposes. It is the most robust, tested and popular App on the 
App Store. Is your privacy worth cutting corners? Can you be half protected? Is it worth the 
risk? The world famous eVestigator.com.au, the Cyber Digital-Forensics Private Investigator, 
the author and enhancer of this original open browser says "not even he could hack it" and 
"I have put people behind bars just from tracing an IP before". That's straight from the Author. 
If you're thinking about investigating in an inferior product, think again!"


External Links:
https://itunes.apple.com/us/app/orion-elite-hidden-ip-browser-pro/id1021253135 [http://archive.is/R5jst]
http://www.orionbrowser.com (Current package name) [http://web.archive.org/web/20160624150229/http://orionbrowser.com/ || http://archive.is/i6z60]
http://www.torionbrowser.com (Original package name) [http://web.archive.org/web/20160314004721/https://www.torionbrowser.com/ || http://archive.is/FiHSP]
https://www.linkedin.com/company-beta/18034392/ (Company that published the app and is responsible for maintaining it.)
https://www.youtube.com/watch?v=MYd4_pitOjA (Video demonstration - removed by vendor 14Jul17) [http://archive.is/nHWuF - Does not contain original video]


Credits: MaXe (@InterN0T)
Special Thanks: The original developer (see references) for providing accurate changelogs and making known bugs public, so that users are aware of these security risks.


-:: The Advisory - Detailed::-
The iPhone application reviewed is vulnerable to multiple known issues.

1. The Tor client embedded within the application is: 0.2.6.5-rc (released 18 Mar 2015)
Relevant changelogs:
- https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?h=release-0.2.6 (https://blog.torproject.org/blog/tor-0265-rc-released)
- Potentially Applicable CVEs:
  CVE-2017-0376, CVE-2017-0375, CVE-2016-8860


2. The OpenSSL library embedded within the application is: 1.0.2a (released 19 Mar 2015)
Relevant changelogs: 
- https://openssl.org/news/changelog.html
- https://www.openssl.org/news/secadv/20160503.txt << Important security advisory
- https://www.openssl.org/news/secadv/20160922.txt << Important security advisory
- Applicable CVEs:
  CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, CVE-2016-7052, CVE-2016-6304, CVE-2016-2183, CVE-2016-6303
  CVE-2016-6302, CVE-2016-2182, CVE-2016-2180, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2181
  CVE-2016-6306, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176, CVE-2016-0800
  CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0701, CVE-2015-3197
  CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-1793, CVE-2015-3196


3. Known bugs from the original application, by the original developer:
- Video note: Websites using HTML5 <video> tags may leak <video>-related DNS queries and data transfer outside 
  of Tor. This includes YouTube, Vimeo, and any website using iOS-compatible HTML5 video. This is due to behavior 
  of the embedded QuickTime player and a comprehensive workaround has not yet been developed.
- JavaScript blocking: The "Active Content Blocking" feature is experimental. If ACB is turned off, JavaScript 
  techniques can identify what type of iOS device you are using and what version of iOS you are using, even if 
  User-Agent Spoofing is enabled.
- Geolocation blocking: Websites may use the HTML5 Geolocation API unless the "Active Content Blocking" feature 
  is set to "Block All". Users should remain vigilant for any pop-ups asking for permission to access location data.

Note: Please refer to the references further below, i.e. "Known Bugs".


4. The application also sends the following HTTP request on startup to the developers website:
http://www.orionbrowser.com/secure/ip34r.asp?guid=<INSERT GUID HERE>

An example of this can be seen below:
GET /secure/ip34r.asp?guid=<INSERT GUID HERE>&new=1 HTTP/1.1
Host: www.orionbrowser.com
Accept: */*
Accept-Language: en-us
Connection: close
Pragma: no-cache
User-Agent: OrionBrowser/<VERSION HERE> CFNetwork/<VERSION HERE> Darwin/<VERSION HERE>

According to the developer, this is to check that the application is licensed, by sending a unique GUID over HTTP that can be tracked, every time the application is run.


5. In addition to the above, several other links are hardcoded to use HTTP:
__cstring:001B912A 00000033 C http://www.orionbrowser.com/secure/ip34r.asp?guid=               
__cstring:001B9443 00000028 C http://www.orionbrowser.com/secure/?tk=                          
__cstring:001B94C5 0000003F C window.location.href='http://orionbrowser.com/secure/top.asp';   
__cstring:001B9504 00000042 C window.location.href='http://orionbrowser.com/secure/bottom.asp';
__cstring:001B9546 00000040 C window.location.href='http://orionbrowser.com/secure/menu.asp';  
__cstring:001B971D 00000037 C http://www.orionbrowser.com/secure/bookmark.asp?title=           
__cstring:001B9980 00000026 C http://www.orionbrowser.com/help.html                            
__cstring:001BBA84 0000001D C http://www.orionbrowser.com/                                     
__cstring:001BBB27 00000027 C http://www.orionbrowser.com/opensource                           


6. Several embedded HTML files within the application, will also redirect to the developer's website over HTTP:
a.html: <meta http-equiv="refresh" content="2; URL='http://www.orionbrowser.com/secure/a.html" />
about.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/" />
bookmark.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure/bookmark.asp" />
help.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure" />
startup.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure" />
status.html: <meta http-equiv="refresh" content="0; URL='http://www.orionbrowser.com/secure/status.html" />


7. The current version of this iPhone app does not use "HashedControlPassword" within the TorRC file either.


-:: Proof of Concept ::-
The current version of this iPhone application appears to be broken, and has likely been broken for a few months. 
When the app starts up, it expects the developer's domain to provide a specific response over plain-text HTTP. The 
first request made to the developer's website is vulnerable to MITM attacks before it crashes.


-:: Solution ::-
1. The embedded OpenSSL library must be updated to the latest version.
2. The embedded Tor client within the application, must be updated to the latest secure version.
3. Users must be notified of known bugs - See references further below.
4. All connections made to the developer's website must be over HTTPS.
5. The application should NOT send a unique GUID to the developer's website when it runs.
6. The application should NOT allow the user to save bookmarks on the developer's website.

It is STRONGLY advised to uninstall this iPhone application immediately, if you have it installed on your phone.


References:
1. Original iPhone Tor browser - This has not been reviewed in depth but it has received several security updates. 
It's also free and open source: https://itunes.apple.com/us/app/onion-browser-secure-anonymous-web-with-tor/id519296448
2. Known Bugs: https://mike.tig.as/onionbrowser/ (Refer to "Bugs, Caveats, Side Notes")
3. Changelog for original app: https://github.com/mtigas/OnionBrowser/releases
4. Vendor blog about app (brief): https://medium.com/@e_forensic/wannafix-proposal-by-cyber-security-expert-simon-smith-use-the-exploit-to-our-advantage-5d57e579c1b3 [http://archive.is/csSDp]
5. Embedded file within app - originalolderlicense.html: <meta name="keywords" content="Welcome to Orion Anonymous Browser Pro - the safest anonymousbrowser on the planet">
6. The specific Onion Browser version this application utilizes is: 1.5.12 (https://github.com/mtigas/OnionBrowser/releases/tag/v1.5.12)
7. It is also recommended looking at the known bugs here: https://github.com/mtigas/OnionBrowser/issues

Application package internal name:
com.rplcentral.TorionBrowser

Other interesting strings from the application:
__cstring:001BC7C6 0000008B C OPENSSLDIR: \"/Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk\"       
__cstring:001C5C04 00000089 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/lib/engines           
__cstring:001F2C71 0000008D C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip       
__cstring:001F2D0A 0000008E C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/share/tor/geoip6      
__cstring:001F41C5 00000094 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc-defaults
__cstring:001F4259 0000008B C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/etc/tor/torrc         
__cstring:001F87EA 00000081 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var                   
__cstring:001F886B 00000085 C /Users/punchee/Documents/personal/projects/fiverr/simonsmith79/src/iOS-OnionBrowser-master/build/built/iPhoneOS8.3-armv7.sdk/var/tor               


Disclosure timeline:
01 Jul 2017 - Application security review begins.
07 Jul 2017 - Vendor randomly pulls app.
14 Jul 2017 - Vendor is notified of vulnerabilities.
15 Jul 2017 - Multiple correspondence notes below:
- Vendor responds stating the app has no actively installed users.
- Vendor talks about having SSL/TLS on a website remediates hardcoded HTTP URLs.
- Vendor asks for personally identifiable information (PII) in relation to InterN0T. (IPA file, receipt, apple ID, IP address, Hardware specs, etc.)
- InterN0T responds professionally, but without providing any PII to the vendor.
- Vendor sends a huge email with various legal threats to InterN0T.
15 Jul 2017 - Advisory sent to The Exploit Database and all other vulnerability databases.

Vendor responses:
- First email from vendor: https://ghostbin.com/paste/5fwpb
- Second email from vendor: https://ghostbin.com/paste/d8o7a
- Third email from vendor: https://ghostbin.com/paste/6hc3f
- InterN0T response: https://ghostbin.com/paste/dtzvo
- Fourth email from vendor including various threats: https://ghostbin.com/paste/49obu


===============================
     ||   ||     ||   ||
     ||   ||, , ,||   ||
     ||  (||/|/(\||/  ||
     ||  ||| _'_`|||  ||
     ||   || o o ||   ||
     ||  (||  - `||)  ||
     ||   ||  =  ||   ||
     ||   ||\___/||   ||
     ||___||) , (||___||
    /||---||-\_/-||---||\
   / ||--_||_____||_--|| \
  (_(||)-| S123-45 |-(||)_)
|""""""""""""""""""""""""""""|
| You're under e-arrest mate |
 """"""""""""""""""""""""""""

Brought to you by:
 _____       _            _   _  ___ _______ 
|_   _|     | |          | \ | |/ _ \__   __|
  | |  _ __ | |_ ___ _ __|  \| | | | | | |   
  | | | '_ \| __/ _ \ '__| . ` | | | | | |   
 _| |_| | | | ||  __/ |  | |\  | |_| | | |   
|_____|_| |_|\__\___|_|  |_| \_|\___/  |_|   

######## EOF ########