____________ __ ________ _________ _____________
|¯¯¯¯¯¯|¯¯¯¯\ /¯¯\ \¯¯¯¯¯¯¯\-( a d i o s )-|¯¯¯|¯¯¯|
| /¯¯\ | __ \\__/ ___s!\ ___ \ | | | ___ | | -+- | |
| \__/ | \_> >¯¯|/¯¯¯\_ \ ¯¯\\_> | ¯ |/¯¯¯\| | _ |__|
| __ | ¯ / | <_> >\_> / ¯ | _ | <_> > | | |¯¯\
|__\/__|____/|___|\___/\_____/---( h o l a ! )-|___|___|\___/|__|__|__|__/
|¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯ ¯¯¯ ¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯
¯¯¯ ¯¯ ¯¯ ¯¯ ¯¯|
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯) shitty linedrawing by slipstream/RoL may 2015! (¯¯
Hola Security Advisory
Title: Multiple Critical Vulnerabilities in Hola Overlay Network Client.
Hola 'Unblocker' / Hola 'Better Internet' / Hola 'VPN' is a commercial service offered on a
'freemium' basis that advertises itself variously as a censorship-evasion and
privacy/anonymity-enhancement tool. The number of users is difficult to quantify objectively,
but estimates range from 8 million users at the low end, to 42 million users as claimed on the
The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application
contain multiple vulnerabilities which allow a remote or local attacker to gain code execution
and potentially escalate privileges on a user's system. Additional design flaws allow a Hola
user to be tracked across the internet via a persistent ID. Furthermore, as Hola users -
wittingly, or otherwise - act as exit-nodes for the overlay network, each is capable of acting
as a Man-in-the-Middle for other users of the free or premium Hola network, or its commercial
'bandwidth' service, Luminati, and thereby compromising the privacy and anonymity of their
browsing and exposing them to further attacks.
The Hola software creates an API server listening on port 6853 of the loopback interface
(127.0.0.1). The server exposes JSON and other endpoints over HTTP, setting an
"Access-Control-Allow-Origin: *" CORS header, which allows a remote website to read the
responses for requests to these endpoints, and thereby enumerate sensitive information, as
well as affecting the security and integrity of the system.
1. Local File Read
The "/file_read.json" endpoint allows a remote website to read arbitrary files on the local
system via path traversal. The files can be read up to the first null byte.
2. Information Disclosure
* The "/callback.json" endpoint provides uniquely identifying information about the users
local Hola install. An attacker could exploit this issue to persistently track a Hola user
across the Internet. When nodes are acting as exit nodes, they also obtain implicit unique
identifiers for the traffic they relay, compounding the privacy concerns.
* The "/procinfo/ps" endpoint provides internal debugging information of the Hola software.
With certain query arguments, the information provided contains pointers to functions that can
be used to defeat ASLR (Address space layout randomization). This would make it easier for an
attacker to exploit memory corruption, such as a buffer overflow and other vulnerabilities,
potentially allowing the attacker to achieve remote code execution in the context of the
service in conjunction with other bugs.
As it happens, remote code execution is achieved without the use of the infoleak.
3. Remote Code Execution
* The "/vlc_mv.json" endpoint allows files on the local system to be moved. The
"/vlc_start.json" endpoint allows for the bundled VLC executable to be run with full
controlled arguments. Together these vulnerabilities can be utilized to gain arbitrary
remote code execution. Details will be fully disclosed at the discretion of the researchers
when some time has elapsed for users to remove the software.
* If an attacker can perform a Man-in-the-Middle attack against a target running the Hola
client on Windows - either as a network adversary, ISP, intelligence agency or another Hola
client acting as an exit node -- they can create a connection seeming to originate from the
hola.org or client.hola.org hosts to the local websocket port.
This web socket connection can be used to download a remote file and execute it with either
the privileges of the logged in user, or as SYSTEM, depending on what version of the client is
installed (browser extension or Windows client). The Android app is also affected by this
vulnerability, which can be used to remotely execute arbitrary code as the Hola app user. An
XSS vulnerability on the hola.org or client.hola.org domains could also allow an attacker to
exploit this issue to remotely execute arbitrary code.
4. Privilege Escalation
The Hola software creates a websocket server listening on port 6863 of the loopback interface.
The software checks the Origin header against some whitelisted values, but this can be spoofed
if RCE has been achieved. The Windows client runs its service (hola_svc.exe) as SYSTEM. The
websocket server allows access to commands implemented within the service such as "wget",
which downloads a file from a remote server, and "exec" which executes a file with the same
privileges as the service. Therefore, the websocket can be abused to escalate privileges if
the Windows client is installed.
# Affected Versions
Hola Engine for Windows and the Hola Firefox addon on Windows are vulnerable to the first
described remote code execution vulnerability. Hola Engine for Windows is also vulnerable to
the privilege escalation issue. These versions along with the "Chrome app on Windows" .crx
extension (hola_chrome_ext_dll_1.7.333.crx) distributed on the Hola website and the Hola
Android app are vulnerable to the second described remote code execution issue, the
information disclosure and local file read issues.
No solution yet exists. Uninstallation of the Hola service, Firefox addon and Android
application will prevent exploitation of these issues. To fully uninstall the Firefox addon,
%localappdata%\Hola must also be deleted. The researchers cannot sanction any mitigations
except to remove this software definitively from any affected devices. To fully uninstall Hola
Engine for Windows, in some cases, deletion of C:\Program Files\Hola is also needed.