Researchers discover hidden shell in Hola VPN software

Hola VPN still vulnerable, despite updates released over the weekend; Researchers have discovered a shell in the software's core code, as well as evidence that malware used the Hola's P2P network

Servers at laas fdls
Guillaume Paumier, CC_BY (Creative Commons BY or BY-SA)

Hola, an Israeli company that develops a browser plug-in promoted heavily as a means to bypass region locks on Web-based content and anonymous surfing, faced a considerable amount of backlash last week - after it was discovered they were selling access to their user's connections in what one researcher called "a poorly secured botnet."

On Friday, 24-hours after the quasi-botnet operation was disclosed, a group of researchers released details on a number of critical vulnerabilities in the Hola software.

The flaws were discovered in the Hola Windows client, Firefox add-on, Chrome extension, and Android application. If exploited, they'll give an attacker (local or remote) the ability to gain code execution and potentially escalate privileges on a user's system.

"This problem is not just an 'oversight'. It's not a thing where you say 'well, bugs can happen'. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn't care about the security of their users. It's negligence, plain and simple, and there's no excuse for it," the researchers added.

Failed Updates:

Over the weekend, Hola updated its website, FAQ, and software to deal with the fallout from the botnet story and the disclosed vulnerabilities. Despite their efforts, the problems remain.

The updates only prevent the disclosure website and proof-of-concept (PoC) tests from working, they do not correct the underlying problems. Considering how Hola is designed and operates, a fix doesn't seem likely.

"They fixed the [remote code execution] issue we were using for our PoC, and the tracking and file read issues. However, [remote code execution flaw] still exists by the Web socket vector (using Man-in-the-Middle), as does privilege escalation if you were originally vulnerable to it," explained one of the researchers who disclosed the flaw on Friday.

"Also, you are still vulnerable to the file read issue if Man-in-the-Middle is used, [and it's the] same for the info leak issue (ASLR bypass). Frankly, Man-in-the-Middle is a part of Hola's design, and the Web socket is their debugging functionality, which is even used in a bunch of places, so neither of those will be fixed."

An ideal platform for targeted attacks:

Researchers at Vectra, a San Jose, California-based company focused on real-time attack detection, studied Hola over the last several weeks as it ran on customer networks.

In a blog post sharing some of their findings, the company stated that in addition to the various botnet-like functions now part of the public record, the Hola application "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."

Vectra researchers also found five different malware samples on VirusTotal using the Hola network [example], proving that criminals were aware of how the application could be abused for some time now.

In one sample, the malware had commands allowing the attacker to manipulate the wireless NIC of a given system and advertise it as the default gateway to attract other internal traffic. Thus, if this was a home-based infection, all devices in the house might be connecting to the malicious system, but in an office setting the impact is amplified significantly.

Other problems discovered by Vectra include the fact that Hola can download and install additional software without the user's knowledge. Hola uses a valid code-signing certificate during the initial installation; and once that's complete Hola will in-turn install its own code-signing certificate on the user's system (e.g. the Trusted Publishers Certificate Store on Windows).

Such a modification means that additional software can be installed and ran without any operating system or browser notification.

Moreover, Vectra researchers discovered the existence of a built-in shell console in within Hola that remains active even when the user is not browsing the Web with the service. Called zconsole, the shell is included in the process that acts as the forwarder for peer traffic, and it enables direct human interaction with a Hola node.

If a human outside of the system were to use the console, they could: List and kill any running processes; Download any file and bypass anti-Virus checking; Execute downloaded files and run it with the token of another process or run it as a background process; Open a socket to any IP address, device, GUID, alias, or Windows name; and/or read and write content across the socket to the console or to a file.

The capabilities of the console enable a competent attacker to do almost anything with a targeted host, Vectra explained in a blog post - meaning the discussion about Hola is no longer focused on 'a leaky and unscrupulous anonymity network,' but it's turned into a discussion on how Hola can be used as an attack platform.

Vectra has encouraged anyone running the software to uninstall it immediately, which has been the advice given so by both privacy and security experts. Hola has remained silent on the issue, but as mentioned, the company updated their website over the weekend with clarifications on how the software works.

[Update 12:29 P.M. EST 1 JUNE 2015]: Hola has published a blog on their website addressing recent events, while it downplays the risks, the company has stated they plan to have an external security audit performed, and they will be launching a bug bounty program. The full post is available here.

There are 64 million Hola users worldwide, and until they were called out by administrators and the press, the company wasn't exactly clear on how their service worked, and even now many of them are in the dark.

Salted Hash asked Vectra CTO, Oliver Tavakoli, for his opinions on the matter since Hola has already been used in a DDoS attack against 8Chan, had a number of critical vulnerabilities exposed, and the code included in the core software itself is suspicious given its functionality.

Is the company acting irresponsible? Are the developers?

"My opinion is that the whole business model is relatively irresponsible, but that’s public record and one can’t accuse the company of hiding that, though the implications might not have been clear to most people who used the service. The vulnerabilities speak to a cavalier attitude about security in general," Tavakoli said.

"We’ve cracked the P2P control protocol and it’s stateless enough that we’ve implemented the decoder in a Wireshark plug-in. So, you could certainly claim a degree of irresponsibility on that front. To me, the installation of a code signing cert and the presence of a shell with the commands available in the supplied [manual] page go past the point of irresponsible and make me question the motivation of the company."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)