[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
From: Pedro Ribeiro <pedrib@xxxxxxxxx>
Date: Tue, 8 Oct 2013 22:27:07 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Oct 2013 17:27:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=7TKZwa8sCCHBzr1AVAqGPDOidpRSQgrdV62Qt5QFYho=; b=qSx3SQsZG84hJy9ReLS0QwYaZwpqEqCd0OgEaVTXQYJSpeFlDsMTWFkWjD8WQ+KC2k 0HqMZEsDlQbLTMIDTOOMypus5IUotFbsw635G/FwItEoGg2D/GwSZ7s8k+D9XJ890UNS PzFBAVEbez31UvPk3YgPYxIbrCyUErrHnSbYlcWLs2mF53qeSo9q5NcWHKw4OxKOV96U rfusErhBxnX2XM6FPY0zfxAxsdgWhVZBbUkKEsTiRPopesKZwUZ/4uEDfODphehT5UoC qmNSsox1ZxABfGPtNelgMeBSg052Jf7lVkLrR5ltDnHBW4N2gFmfOwFjvoMZqjHFXFjo wJvg==
In-reply-to: <CAKDKvuxSOfX9WgoFbc-_mT3NGEwHhqFLMJrL2tFrbuTPY-FXgw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <RT-Ticket-14731@xxxxxxxxxxxxxx> <CAEDdjHd8HvzMDQ2Q+_p-G5pkmpbcPJ2W2F=Sfb1rrYDVSrf2eQ@xxxxxxxxxxxxxx> <rt-4.0.7-6363-1381152313-776.14731-6-0@xxxxxxxxxxxxxx> <CAEDdjHe4QZtuUMPUMeUp=GrRX_+DynWHUiNKCsX5ikgFrGhUpA@xxxxxxxxxxxxxx> <CAKDKvuxSOfX9WgoFbc-_mT3NGEwHhqFLMJrL2tFrbuTPY-FXgw@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Oct 8, 2013 4:41 PM, "Nick Mathewson" <nickm@xxxxxxxxxxxx> wrote:
>
> On Mon, Oct 7, 2013 at 5:55 PM, Pedro Ribeiro <pedrib@xxxxxxxxx> wrote:
> > ---------- Forwarded message ----------
> > From: Colin Childs via RT <help@xxxxxxxxxxxxxxxxx>
> > Date: 7 October 2013 14:25
> > Subject: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
> > To: pedrib@xxxxxxxxx
> >
> >
> > On Mon Oct 07 12:13:21 2013, pedrib@xxxxxxxxx wrote:
> >> Hi,
> >>
> >> I think there is a small buffer overflow (off by one) in the current stable
> >> version of tor.
> >> The function in question is format_helper_exit_status, which returns a
> >> formatted hex string. It is in common/util.c, starting at line 3270.
> >> The function has a comment header that explains how it works. It
> >> specifically says it returns a string that is not null terminated, but
> >> instead terminates with a newline.
> >>
> >> The code checks periodically throughout the function whether it has written
> >> more bytes than it should. If it does, it errors out and writes a null
> >> character in the current character positions. This by itself can lead to a
> >> buffer overflow, but I believe the checks ensure that it almost never
> >> writes over the buffer size - except in one case.
> >>
> >> After it has finished everything, it then checks again if there are more
> >> than 0 bytes left in the buffer. If there are, it writes two characters - a
> >> newline and a null terminator (lines 3342 to 3347).
> >>
> >> The problem here is if the buffer only has one byte left, an off by one
> >> overflow occurs. These usually are very hard to exploit, but can be a
> >> security issue nonetheless.
> >>
> >> However given that I am not familiar with the tor codebase I might be
> >> wrong? I also did a quick security audit on the rest of the tor code and
> >> couldn't find anything else. I was inspire because of the recent events...
> >>
>
> Thanks, Pedro! Thanks for looking at Tor!
>
> I agree that this probably isn't exploitable, but let's not take any
> chances. (I'm thinking "Not exploitable" not because off-by-one
> buffer overflows are safe, but because in order to get the overflow to
> happen at all, you would need to have errno be a high-magnitude
> negative number, which is not usually something that happens on unixy
> platforms. Moreover, you'd need to arrange for this to happen as a
> result of launching a pluggable transport proxy, which is not usually
> something under the attacker's control.)
>
> Nonetheless , this should get fixed. I've opened
> https://trac.torproject.org/projects/tor/ticket/9928 to track it, and
> written a possible fix.
>
> best wishes,
> --
> Nick
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

No problem Nick.

If you issue an advisory, credit to Pedro Ribeiro (pedrib@xxxxxxxxx) is appreciated.

Regards
Pedro

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
  - From: Pedro Ribeiro
- Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
  - From: Nick Mathewson

Prev by Author: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
Next by Author: [tor-dev] Design for an exit relay scanner: feedback appreciated
Previous by thread: Re: [tor-dev] Fwd: [rt.torproject.org #14731] Off by one buffer overflow in tor stable
Next by thread: [tor-dev] Attentive Otter: Analysis of Instantbird/Thunderbird
Index(es):
- Author
- Thread