[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Attacking the Tor Control Port with Java

Hash: SHA1

On 3 October 2007, Sun announced several critical security updates for
the Java Runtime Environment at [1].  In particular, [2] describes how
network access restrictions can be circumvented to connect to
arbitrary hosts by utilizing DNS rebinding.  The paper at [3]
summarizes some of the current research into the issues of DNS

Java exposes a programmatic sockets interface, and a malicious applet
can construct properly formed control port commands.  If the control
port is enabled with the NULL authentication and accessible to the web
browser, the malicious applet can authenticate and send arbitrary

To summarize, Tor users with the following conditions may be at risk:
  - vulnerable version of Java enabled in web browser
  - control port enabled with NULL authentication and accessible

Use of proxy switching browser add-ons (e.g., Torbutton, FoxyProxy)
may increase this risk if the Java Virtual Machine can perform
arbitrary DNS resolution through the native operating system resolver.

Possible workarounds:
  - disable Tor control port
  - if control port is required, use 'HashedControlPassword' option
  - disable Java in the web browser and/or uninstall from OS
  - if Java is required, consider a virtual machine solution such as
    JanusVM [4] or firewalled environment that only allows DNS
    requests through web browser

The latest Java downloads are available at [5] or from your operating
system vendor (or not, depending on how differently you think).

Additional details and demonstration code at [6].

[1] - http://blogs.sun.com/security/
[2] - http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1
[3] - http://crypto.stanford.edu/dns/
[4] - http://janusvm.peertech.org/
[5] - http://java.com/ or http://java.sun.com/javase/downloads/
[6] - http://pseudo-flaw.net/tor/attacking-tor-control-port-with-java/

Version: GnuPG v1.4.7 (Darwin)