[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Persistent XSS vulnerability in TorStatus

To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
From: TheGravitator <thegravitator@xxxxxxxxxxxxxx>
Date: Mon, 25 Apr 2011 10:48:00 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 25 Apr 2011 05:48:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:message-id:from:to:references:subject:date :mime-version:content-type:content-transfer-encoding:x-priority :x-msmail-priority:x-mailer:disposition-notification-to:x-mimeole; bh=GMeVBltCIvtY9XBGVz2Ixz1gX0Ratgw8ZV+h0DNk/u4=; b=C5aN73MloOT3bJKiON0uEIVcvG2sYL2g+oPuJa6OurV4lxlxeVIVC4lq+z1dhfl787 YJ+xzM2qBd8c0lSu0zD9zaMTZhJ13Aq53VnbWaW6whbn/4MQvpXjQVcOIRwZCGWlTgxy CDbZtF1DWVykEP35Li1Fd7k9cHZkVBvOfWC+4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:disposition-notification-to:x-mimeole; b=NrMcbXL0Grb8H1/hbYXxiHkFI6SX9DLMB5UwVWgkk9XMxcVIoAjrPTrVoywsYBBDH3 TZh4CS1eti/KFOrMimWrL9uDiom0Q6uAa8G4AjXWsGM6ZyHgwwrhO21xTcKYrPnxVKHA 8NmKZU5eZH02M1t7cNNAi3nHwH2cZvirtpj6M=
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4DB305BF.6040906@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Hi TagNaq,

Thanks for this.. you might be interested to know that co-incidentally I
had a nasty experience with one of these sites (don't know which now)
running this code some 4-6 months ago. I had to switch jscript on to
view the site and when I reloaded the page my pc slowed to a halt and
then after a minute of 2 re-booted all on it lonesome, taking a while to
come up after re-booting. At the time it was just annoying, as I had to
go back to there again and the same thing happened. On the 3rd time I
went to another Tor status site and the problem did not repeat.

I didn't think anything of it until about 3 weeks ago, when I got a new
AV, after noticing some files (looked encrypted) on my pc which I had no
idea how they got there and they were in a non system/software area of
the drive.

The new AV did a low level (at on drive code level) hard disk, on boot,
inspection and found a hidden (from the OS) partition and deleted it..

That was the beginning of nearly a week of problems, sudden slow downs
for no reason, blue screens, and various AV's then finding pieces of
some sort of key-logging trojans & traces of numerous viruses they had
previously failed to find.. Finally, the cut,  paste, drag and drop
stopped working. nothing would fix it. According to the reports, this
was being caused by a remote control like trojan (possibly now just a
remnant) watching everything going through WinExplorer (looking over its
shoulder so to speak). I got software to remove this and then more to
fix the settings it had left and that led to yet another trojan being
found and removed. It now works OK.

Do you reckon a jscript (code injection) vulnerability over Tor, like
the one you uncovered, could lead to stack based attacks (the system
slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a remote
control trojan as I have just removed?


Cheers,

Paul

----- Original Message ----- 
From: "tagnaq" <tagnaq@xxxxxxxxx>
To: "Tor-Talk" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Cc: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Sent: Saturday, April 23, 2011 6:00 PM
Subject: [tor-talk] Persistent XSS vulnerability in TorStatus


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> "TorStatus is a website display used to summarize metrics about the
Tor
> Network. It's a precursor to  http://metrics.torproject.org. The code
> repository is at
> https://svn.torproject.org/svn/torstatus/. Example running sites are
> http://torstatus.blutmagie.de/ [...]"
>
> Note: TorStatus is not a Tor Project product and is not maintained.
>
>
> Vulnerability
> - -------------
> DisplayRouterRow() in index.php prints the contact information string
> from a server descriptor - defined via 'ContactInfo' in torrc by a
node
> operator - into the HTML page without proper output encoding. This
leads
> to a persistent cross-site scripting vulnerability where every Tor
node
>  operator can insert HTML/JavaScript on all vulnerable TorStatus
mirrors.
>
> The contact information column is only included in the HTML page if
the
> end-user (browsing a TorStatus mirror) adds the contact column
> via "Advanced Display Options" (column_set.php), the contact column is
> not included by default. An attacker might set the displayed columns
for
> a victim via CSRF.
>
> A simple search in the server descriptors of the last two months did
not
> reveal an obvious exploitation in that time period. The simple search
> used is not suitable to give a clear answer.
> [grep -hir ^contact * |egrep -i '(script|src)']
>
> Affected Versions
> - -----------------
> 4.0
> 3.6.1
> 3.6
> 3.5
> 3.4.2
> 3.4.1
> and probably others
>
>
> Solution
> - --------
> The attached patch was committed to the svn (revision r24666).
> https://svn.torproject.org/svn/torstatus/
>
>
>
>
> Thanks to Robert, Andrew, Olaf, Damian and Sebastian.
> -----BEGIN PGP SIGNATURE-----
>
> iF4EAREKAAYFAk2zBb4ACgkQyM26BSNOM7YE8gD9HzwAZ1rfUDM+GLxjFfo0o1R7
> A5l2MPddbmPlr+d23oYA/1m8VI3bbG9RXvao453j2Yyqix/iJ01rJbLP63PtWShw
> =Ay2T
> -----END PGP SIGNATURE-----
>


------------------------------------------------------------------------
--------


> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq

References:
- [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq

Prev by Author: Re: [tor-talk] To Toggle, or not to Toggle: The End of Torbutton
Next by Author: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Previous by thread: [tor-talk] Persistent XSS vulnerability in TorStatus
Next by thread: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Index(es):
- Author
- Thread