[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Persistent XSS vulnerability in TorStatus



Hi TagNaq,

Thanks for this.. you might be interested to know that co-incidentally I
had a nasty experience with one of these sites (don't know which now)
running this code some 4-6 months ago. I had to switch jscript on to
view the site and when I reloaded the page my pc slowed to a halt and
then after a minute of 2 re-booted all on it lonesome, taking a while to
come up after re-booting. At the time it was just annoying, as I had to
go back to there again and the same thing happened. On the 3rd time I
went to another Tor status site and the problem did not repeat.

I didn't think anything of it until about 3 weeks ago, when I got a new
AV, after noticing some files (looked encrypted) on my pc which I had no
idea how they got there and they were in a non system/software area of
the drive.

The new AV did a low level (at on drive code level) hard disk, on boot,
inspection and found a hidden (from the OS) partition and deleted it..

That was the beginning of nearly a week of problems, sudden slow downs
for no reason, blue screens, and various AV's then finding pieces of
some sort of key-logging trojans & traces of numerous viruses they had
previously failed to find.. Finally, the cut,  paste, drag and drop
stopped working. nothing would fix it. According to the reports, this
was being caused by a remote control like trojan (possibly now just a
remnant) watching everything going through WinExplorer (looking over its
shoulder so to speak). I got software to remove this and then more to
fix the settings it had left and that led to yet another trojan being
found and removed. It now works OK.

Do you reckon a jscript (code injection) vulnerability over Tor, like
the one you uncovered, could lead to stack based attacks (the system
slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a remote
control trojan as I have just removed?


Cheers,

Paul

----- Original Message ----- 
From: "tagnaq" <tagnaq@xxxxxxxxx>
To: "Tor-Talk" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Cc: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Sent: Saturday, April 23, 2011 6:00 PM
Subject: [tor-talk] Persistent XSS vulnerability in TorStatus


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> "TorStatus is a website display used to summarize metrics about the
Tor
> Network. It's a precursor to  http://metrics.torproject.org. The code
> repository is at
> https://svn.torproject.org/svn/torstatus/. Example running sites are
> http://torstatus.blutmagie.de/ [...]"
>
> Note: TorStatus is not a Tor Project product and is not maintained.
>
>
> Vulnerability
> - -------------
> DisplayRouterRow() in index.php prints the contact information string
> from a server descriptor - defined via 'ContactInfo' in torrc by a
node
> operator - into the HTML page without proper output encoding. This
leads
> to a persistent cross-site scripting vulnerability where every Tor
node
>  operator can insert HTML/JavaScript on all vulnerable TorStatus
mirrors.
>
> The contact information column is only included in the HTML page if
the
> end-user (browsing a TorStatus mirror) adds the contact column
> via "Advanced Display Options" (column_set.php), the contact column is
> not included by default. An attacker might set the displayed columns
for
> a victim via CSRF.
>
> A simple search in the server descriptors of the last two months did
not
> reveal an obvious exploitation in that time period. The simple search
> used is not suitable to give a clear answer.
> [grep -hir ^contact * |egrep -i '(script|src)']
>
> Affected Versions
> - -----------------
> 4.0
> 3.6.1
> 3.6
> 3.5
> 3.4.2
> 3.4.1
> and probably others
>
>
> Solution
> - --------
> The attached patch was committed to the svn (revision r24666).
> https://svn.torproject.org/svn/torstatus/
>
>
>
>
> Thanks to Robert, Andrew, Olaf, Damian and Sebastian.
> -----BEGIN PGP SIGNATURE-----
>
> iF4EAREKAAYFAk2zBb4ACgkQyM26BSNOM7YE8gD9HzwAZ1rfUDM+GLxjFfo0o1R7
> A5l2MPddbmPlr+d23oYA/1m8VI3bbG9RXvao453j2Yyqix/iJ01rJbLP63PtWShw
> =Ay2T
> -----END PGP SIGNATURE-----
>


------------------------------------------------------------------------
--------


> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk