Hacking Dubai and More Internet Proxy Loopholes

by forgotten247

I recently had the opportunity to go to Dubai for a work function.  I was put up at the Jumeirah resort, a nice little spot on the gulf with some great views, restaurants, and clubs.  As any reader of 2600 would do, the first thing I did when I got to the room was see how I could get online.

On the desk was a card outlining the process to do so.  I could plug in an Ethernet cable, go through a few screens, and once registered I'd be able to use wired or wireless access throughout the resort.  Just what I needed, beach-side Wi-Fi to enjoy the net and the Gulf at the same time.

No worries, I thought, and I started the process by disabling the AirPort on my MacBook Pro, plugging in the Ethernet cable, and firing up Safari.  I was prompted with a "Jumeirah Hotel Internet Access" landing page, and then clicked on the "Internet Access" link.  From there I chose "In-House Guest" and accepted the terms and conditions which were pretty standard.

Then something hit me about the page to register my system.  You'd think a hotel that charges $1,000+ U.S. dollars a night (yes, it was that expensive) would throw in Internet access, but no, they didn't.  The screen that came up would allow users to register for one hour of Internet access for $30 AED (about $8 U.S.) or $150 AED ($40 U.S.) for 24-hours.

After paying, the system would provide a username and password that could then be entered into a form on the web system to gain access.  This was a bit of a surprise seeing as the card on the desk made no mention of the added cost, but I was game to see if there were any unique ways to gain access.

To get started I disconnected the Ethernet cable, switched to AirPort, and went to the landing page to enter a random username and password.  I had no luck there.  O.K., try number two, would entering a name with a blank or random password?  Nope.

I had no intention of paying $40/day for Internet access for the next week, even at my company's expense, so I pulled out my iPhone to see if I could get cell-network web access.  Having a U.S.-based iPhone locked for AT&T meant no luck in that arena.  I also had a BlackBerry and it worked fine on the local provider network, however I didn't want to browse using BlackBerry's watered-down web interface.

Things were starting to look grim, but I was not willing to give in.  I joined the iPhone to the hotel Wi-Fi setup and went through the registration pages, hoping for some luck.  I noticed differences on the page when viewed through iPhone, from what I had seen on the laptop.  Mainly, quite a few sections of text that had been present on the laptop didn't show up on the iPhone.  Instead there was an icon that indicated there was content that the mobile Safari browser could not load.

This looked promising.  I finished going through the registration pages and then I got it.  On the page where the laptop's browser was prompting me to select the amount of time I wanted to pay for, I received a message saying that the registration process was completed, and I was in.  I quickly typed in a few URLs and indeed I was online.

It seemed the registration and access granting pages were dependent on web components that were not compatible with mobile Safari.  Using that knowledge as a jumping point, I was able to find that the web application used to provide Internet access used Java components.  For whatever reason the developers had decided that instead of failing closed, they failed open, meaning if there was an error with the application, no access would be granted.  When the Java components didn't run, the system defaulted to letting people through and granting access.  Dummies!

Now I do think the iPhone is a great little device, but I didn't want to do all my surfing on my phone, so with a little help from the tinyproxy native application I had installed on it (you had to assume it was jail broken, didn't you?), I pointed my laptop to use the iPhone as a proxy and off I went, free Wi-Fi access across the iPhone to the laptop.

Before I left I circled back to validate the security hole that allowed this, and found that disabling Java on a browser on the laptop resulted in the same full access without needing to go through the registration process.  I also noticed that in the areas of the hotel where there were business meeting rooms the Wi-Fi networks were completely unrestricted, which I found is the case at most business/convention centers and worth noting, although not much good to get online from the privacy of your room, or the allure of the beaches.

The moral of this segment of the story is two-fold: First, if you run into any Wi-Fi apps requiring registration, make sure to test them out without things like Java or ActiveX disabled because you may be pleasantly surprised; Second, a word to developers, you really need to think beyond end-users accessing the network on traditional setups and should always fail closed when in doubt.

Now, the digital adventures in Dubai didn't stop there.  After browsing a few sites I ran into a nasty little page telling me "SITE BLOCKED," in big bold red letters, with sub-text, "We apologize the site you are attempting to visit has been blocked due to its content being inconsistent with the religious, cultural, political and moral values of the United Arab Emirates."  Just for good measure it was written in English and Arabic.

Now, I can say for sure that there are plenty of sites I go to on a regular basis that are inconsistent with the moral values of the UAE, so, let's get around this thing shall we?

This one was not too difficult, as I have run into similar blocks in China and other heavily regulated areas.  The way these typically work is using web proxy servers or appliances with filtering technology which classify sites by type.  Access is then allowed or denied based on type.  SmartFilter, as covered in the Spring 2008 issue, is one of these technologies.  The article did a good job of describing a solution to get around SmartFilter, but it was a bit over-complicated for my liking.

First, it relied on people having an Internet-facing host that you could get shell access on.  You also needed the ability to fire up an ssh listener on that server, and to set up a SOCKS proxy on your client system.

While this certainly is a viable technical solution, and an educational article, the assumption that people have access to an Internet-facing server they can set a service up on is a bit beyond reality, even for 2600 readers.  If you are in a corporate environment there is a good chance that the PC policies won't let you install Putty or run unapproved services on the client.  Places with Internet proxy filters typically also have some level of infrastructure monitoring going on, as well as security policies enforced through Active Directory and/or PAC files that won't allow installation of software or changing your web browser settings.

I have a different approach to getting around Internet filtering proxies that puts less requirements on the users, both on the server and client side.  Rather than just give the solution, let's take a walk-through of how we get there.  To start with, SmartFilter and other filters are based on the URL or IP of the site you are going to.  They do not filter on content, at least none that I have run into yet.  This is very important.  The default reaction to this knowledge should be that if you can't get to a site because the host is blocked, go to a site on a host that isn't blocked that you can get the content through.

Let's try that out.  Hop on over to Google, I haven't found them blocked yet, and type in a search that would result in the URL you want to view.  On the search results screen instead of clicking on the title of the page, click on the "Cached" link.  Sweet, I'm in, are you?  Probably.  The cached content is served from Google's servers which are not blocked, since the hostname in the URL is for Google, not the host which the proxy doesn't like.  This is a quick and dirty way to get to a single page that is blocked, but Google's cache isn't always complete, following links from it isn't always easy, and the pages don't always render correctly.

Let's keep going down with the intention of getting access to all the content, not just the cached image of the blocked host.  Most of you should be well aware of anonymizer sites that you can go to, enter a URL, and proxy the content through their servers.  The intention of these sites is to improve your security so the web servers don't know who is making the request, however they can also be used for you to get content from a site, without entering that site's URL.  That sounds exactly like what we need, but unfortunately most of these are well known by proxy filters, so going to one of those is not going to cut it.  Are we stuck?  Nope, we just need an anonymizer site that the proxies don't know about, and the best way to get one is to host your own.

Now, writing a web app to do this is very simple, but it is even easier just to implement one that already exists.  I mean why spend time doing something that's already been done.  Much like the prior article on getting around SmartFilter, you do still need some Internet-facing server space for this, but it can come in the form of a simple, low-cost web hosting provider.  No shell access or ability to run services needed.  Just a provider supporting PHP or ASP.NET, which almost any decent provider will support.

The first thing needed is to set up the Internet-facing server side..  Jump out online and do a search for "web proxy <web language>" where the web language is PHP or ASP.NET, depending on the host you are using.

PHProxy (sourceforge.net/projects/poxy) is one that comes to mind for PHP, and is near the top of the search results right now, although that one is a little dated.  It will work fine, as will almost any others you come across.  So, take whichever proxy solution interests you, drop it on your hosted web provider space, which hopefully has a nice inconspicuous hostname, and point your web browser to it.

Government-enforced proxies, such as Dubai's, as well as business/corporate proxies, should let you slide right by.  From there you should just need to type in the URL you want to pull up, click a button, and sit back as the page you wanted is displayed in its full form.  Hopefully the web proxy you grabbed dynamically updates any <a href> links so as you navigate around, all future clicks go through your proxy.  If it didn't, grab a different one.  Most support doing this.

The beautiful part of this approach is that as long as the hostname you are running your proxy from doesn't raise any suspicion, there would be no reason to have to change your browser settings on the client.  This is great if you are in a work environment where those settings are locked down.

One word of caution for business users though, SmartFilter and other web proxy solutions typically are used to provide reports on the most visited websites, and the most active Internet users.  You should try to fly under that radar by only using your proxy when absolutely necessary, and keep browsing from work at a minimum.  The name of your host is important as well.  If it does pop up on one of those reports the more official it looks the better.  Don't register iusethistobypassmyworksecurity.com or myporngateway.com or you may not be in that job long enough to use it!

So, that concludes this chapter of my Dubai adventures and another method of getting around Internet proxy filters.  I enjoyed that week of sun, free net access, and freedom to digitally go wherever needed.  All thanks to a poorly written Wi-Fi registration app, an iPhone, and a personal web proxy gateway.

I do have to add that spending too much time in front of your system in Dubai would be quite a waste.  Anyone who can get there should plan on not sleeping too much - hitting the beaches all day and partying at the clubs all night is the only way to go, even when your online exploits or World of Warcraft buddies are calling.

Just save up, Dubai isn't cheap!