HideMyAss! privilege escalation flaws exposed

[CrAKeN]

 

The researcher on the case says the VPN provider will not be fixing them.

 

A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed.

 

Over the weekend, Securify researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple's OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.

 

The security flaw details and proof-of-concept (PoC) code was posted on Full Disclosure.

 

The bugs were discovered in the helper binary HMAHelper which ships with the Apple Mac OS X versions of HideMyAss!.

 

The helper, installed as root and responsible for loading kernel extensions and managing firewall rules and permissions, also includes the flaws which permit local attackers to exploit privilege escalation and gain root control of user accounts.

 

"Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities," the researcher says. "Taking the FirewallDisable rule as an example, [..] there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root."

 

 

Tested on version 2.2.7.0, Sahin says this older version of the software is still available for download and according to HMA support, will not be fixed.

 

In addition, Securify also discovered a similar local privilege escalation flaw in HideMyAss! Pro VPN for Mac. However, this issue -- caused by a signature check failure in a binary assistant used to create VPN profiles and connections -- impacts the latest version of the client, version 3.3.0.3, and no fix is available.

 

HideMyAss!, catering for thousands of users worldwide, is one of the most well-known VPNs on the market which offers free and premium proxy services. The HideMyAss! Pro VPN service is under AVG's umbrella after desktop and mobile privacy firm Privax was acquired by the antivirus provider in 2015.

 

Source

[Atasas]

They tried to make money, but no match to CIA and FBI... even DarkNet been utterly infiltrated..

For a believe of being protected- they are OK, but as soon as feds want to- they'll have you

[steven36]

19 minutes ago, Atasas said:

they are OK

Anyone  who has done any research on VPNs  knows not too  use  HMA  try  telling Cody  Kretsinger who was in the hacking group  LulzSec that HMA is OK they  gave law enforcement his info ..They dont need a back door  they work with the feds lol.

https://invisibler.com/lulzsec-and-hidemyass/

 

 

 

[Atasas]

1 minute ago, steven36 said:

Anyone  who has done any research on VPNs  knows not too  use  HMA  try  telling Cody  Kretsinger who was in the hacking group  LulzSec that HMA is OK they  gave law enforcement his info ..They dont need a back door  they work with the feds lol.

https://invisibler.com/lulzsec-and-hidemyass/

 

 

 

Should have (meant) to say They where...

[steven36]

15 minutes ago, Atasas said:

Should have (meant) to say They where...

They done this in 2011 so I'm not sure they was ever OK it was understandable when VPN  Book done it because there a free service  and wanted to protect there free service but HMA is a paid service  that acts like there worth buying that will turn you into the cops lol.

 

The VPN I use has were i can ether use Open VPN or there client  if they ever reported something wrong with it on Linux or Windows i would just use  the open vpn  instead tell they fixed it and mine would fix it,  they have too many users not too.

[nIGHT]

How many of these VPNs actually work with the FBI/CIA?

[Togijak]

35 minutes ago, nIGHT said:

How many of these VPNs actually work with the FBI/CIA?

Why is it not recommended to choose a US based service?

Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

An example of this is Lavabit – a discontinued secure email service created by Ladar Levison. The FBI requested Snowden’s records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service’s SSL keys. Having the SSL keys would allow them to access communications (both metadata and unencrypted content) in real time for all of Lavabit’s customers, not just Snowden's.

Ultimately, Levison turned over the SSL keys and shut down the service at the same time. The US government then threatened Levison with arrest, saying that shutting down the service was a violation of the court order.

[Agent 86]

Sorry little off-topic here but I would like to say to liken VPN to a lock on a door. A lock on door (if you really stop to think about it) is designed to keep out good people. If you are a criminal or a LEA no lock will keep you out. Use VPN? Yes. But dont do anything too illegal while using VPN and no court date for you! 

 

Edit: added the word "too"

[Togijak]

Trust no one. Trust nothing. Assume everyone else is a malicious actor = buy a dedicated server and setup your own VPN (the only VPN you can trust 100% if you are sure that you did no mistake at the setup / configuration / encryption). A other way to be a little bit more safe is to use TAILS across VPN

[Holmes]

Yes dont use HMA or HMA pro.  Steventhirtysix what VPN do you use I would like to have the option to choose cyberghost vpn or openvpn.

[Togijak]

1 hour ago, Holmes said:

Yes dont use HMA or HMA pro.  Steventhirtysix what VPN do you use I would like to have the option to choose cyberghost vpn or openvpn.

 

@Holmes

 

sounds like you misunderstood something  OpenVPN is not a VPN Provider like Cyberghost

 

Quote

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol^[9] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).^[10]

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, has an implementation of OpenVPN protocol.

 

source

and is supported from much VPN Providers. Sometime you see it and sometime the provider has a one client (I call it GUI) but you find the OpenVPN files in this folder.

 

[steven36]

14 hours ago, Togijak said:

Services based in the United States are not recommended because of the country’s surveillance programs

Most VPN  that snitched on people  were not located in the USA at all.  Privacy and being Antonymous  is not the same thing  and it dont make a shit were you're VPN  is from  you cant escape  the police if there after you.  VPN Book Romania and HMA UK  gave info against hackers in court  

 

Quote

This is not to discourage VPN usage. I personally use one of the providers mentioned below, and I'm very happy with it. The important point is not to have an illusion of being 100% protected by the VPN provider. If you do something bad enough that state actors are after you, the VPN provider aren't going to risk themselves for you. If those coming after you are motivated enough, they'll exert all possible legal (and not so legal) powers they have. Downloading torrents or posting on anarchist forums is probably not motivating enough.

 

Quote

 

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

 

 

 

Dutch Police Seize Two Perfect Privacy VPN Servers

https://torrentfreak.com/police-seize-two-perfect-privacy-vpn-servers-160902/

“No logs” EarthVPN user arrested after police finds logs

http://www.wipeyourdata.com/other-data-erasing/no-logs-earthvpn-user-arrested-after-police-finds-logs/

Another example is  to stop you're ISP from selling you're data . But you need to review a vpn's policy because some free ones are known  to sell users data or/and inject ads in exchange for there free service.

 

 

If you use a vpn  you can use Tor browser with it  as well nether is 100%..  But using layers is better,,,, TOR will  hide you from you're VPN provider and if you was to be exploited  you have a VPN to fall back on . If you're really Paranoid  use 2 VPNs set up another one in a VM and use Tor browser on top of that or use a VPN  and set Tails  up in  a VM . I know Nord VPN offers TOR over VPN but  I don't thank it as good as setting it up yourself  On Linux I run my apps in Firejail  while using a VPN  you can do the same thing in Windows using Sandboxie .

[tao]

14 hours ago, Togijak said:

Trust no one. Trust nothing. ...

Great!

 

Do not forget, please, to Include "I" in "no one" and "nothing".  And, then, you (I) are safe from all dangers! 

[Togijak]

45 minutes ago, adi said:

Great!

 

Do not forget, please, to Include "I" in "no one" and "nothing".  And, then, you (I) are safe from all dangers! 

 

Should be a council for everyone

[tao]

2 minutes ago, Togijak said:

Should be a council for everyone

What is not (applicable) council for everyone is no good for anyone. 

[Togijak]

btw the last part of @steven36 post is the reason that I try something what I call "the way for paranoid³"

1. run my VPN
2. run another VPN inside a VM across the first VPN on my mashin
3. run TorBrowser inside the VM across 2 VPN's

 

 

the result is slow but it works
 

 

 

 

[BioHazard]

29 minutes ago, Togijak said:

btw the last part of @steven36 post is the reason that I try something what I call "the way for paranoid³"

1. run my VPN
2. run another VPN inside a VM across the first VPN on my mashin
3. run TorBrowser inside the VM across 2 VPN's

 

 

the result is slow but it works
 

 

 

 

That's over kill 

I do that sometimes but without the torbrowser lol.

[Atasas]

it still don't matter...

ISP's do have your actual traffic monitoring ability, that can be (is) analyzed in order to spy on your activity, be it via double VPN

[Holmes]

No I didnt misunderstand I would just prefer sometimes to use openvpn not cyberghost vpn and for your information a determined attacker law enforcement or third party like my friend patrick if they really want to get your real identity there going to get it exploit the first vpn figure out a way to break the second vpn and then figure out a way to break the tor browser its going to take longer but real attackers fantastic programmers hackers:

 

https://sites.google.com/site/yacoset/Home/signs-that-you-re-a-good-programmer

 

First one says here is a excerpt:

 

1. Incorruptible patience

Symptoms

1. Fire alarms provoke annoyance more than panic
2. Cannot name any song that just played on the radio or through their headphones
3. Is oblivious to how many times their cubicle-mate has gone for coffee, the bathroom, or the hospital
4. Unbothered by office politics
5. Can predict a bug before the code is ever run

How to acquire this trait

Distractions are a product of imagination. The day I wrote this I found myself horribly distracted and annoyed by someone at my gym singing songs in French while I sat in the sauna. The singing moved around outside the sauna and pissed me off. I wished he'd stop because I couldn't concentrate. I pictured a man without concern of others, a douchebag, someone who'd wear a pink shirt and order people around. Then I came out of the sauna and saw it was an old man, chocolate in complexion and as threatening as a worn teddy bear with button eyes. He'd started singing La Vie en rose, which is a song I that I not only loved but that made me wonder, just then, if it was me who'd long since turned into an insufferable asshole.

 

I don't know how to shut out distractions, but if I had to try I'd guess it'd involve a little bit of deference and so much fascination that it directs your imagination instead of being dictated by it. When I want to be like this I want to take life without taking it personally.

 

That patience is the patience Im talking about.