[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17674 [Tor]: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses
#17674: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status:
Priority: Very High | needs_information
Component: Tor | Milestone: Tor:
Severity: Major | 0.2.8.x-final
Keywords: dos tor-hs 027-backport | Version:
026-backport security | Resolution:
Parent ID: #17178 | Actual Points:
Sponsor: | Points:
-------------------------------------------------+-------------------------
Comment (by teor):
Replying to [comment:6 dgoulet]:
> Replying to [comment:4 teor]:
> > Please see my branch first-hop-no-private at
https://github.com/teor2345/tor.git
> >
> > It modifies circuit_handle_first_hop to refuse any connections to a
private address with a protocol error, unless ExtendAllowPrivateAddresses
is set.
> >
> > This should catch this issue with relay extends, and hidden service /
RSOS rendezvous from badly behaved clients.
>
> I've played around with this. I've modified a tor client to change the
RP extend info to be a IP/PORT I control (nc -l PORT basically). The
result, and somehow expected is that the remote HS second middle when
trying to extend to the RP does a TLS connection to my IP/PORT.
This is the behaviour the patch is intended to prevent - we don't want
clients being able to convince HSs to make a TLS connection to anywhere on
the Internet via their rendezvous second middle relay.
> I've modified an HS I own to always pick the second middle to be a relay
that I controlled (thus could look at the log). I then changed the RP info
to 127.0.0.1. I see that my pinned relay is logging me:
>
> {{{
> Dec 07 17:31:56.000 [warn] Client asked me to extend to a private
address
> }}}
>
> Which is denied by `circuit_extend`. So maybe the use case I've tested
is wrong but it doesn't seem we go through "handle_first_hop" when
extending to the RP (for hidden service). I would be curious why RSOS
doesn't also use `circuit_extend` then?
The current behaviour of HSs is to make a TLS connection from the second
middle, then refuse to send the extend cell in "circuit_extend".
The first hop uses "handle_first_hop". Subsequent hops use
"circuit_extend".
Since a RSOS only makes one-hop rendezvous circuits, we need to stop this
in "handle_first_hop" as well.
>
> (All this testing required me to change the HS, client and middle relay
so I might have gone wrong).
>
It looks like you're on the right track.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17674#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs