Re: Attacking the Tor Control Port with Java

[Roger Dingledine <arma@xxxxxxx>]

On Wed, Oct 10, 2007 at 12:59:56AM -0500, Gregory Fleischer (Lists) wrote:
> On 3 October 2007, Sun announced several critical security updates for
> the Java Runtime Environment at [1].  In particular, [2] describes how
> network access restrictions can be circumvented to connect to
> arbitrary hosts by utilizing DNS rebinding.
[snip]
> Java exposes a programmatic sockets interface, and a malicious applet
> can construct properly formed control port commands.  If the control
> port is enabled with the NULL authentication and accessible to the web
> browser, the malicious applet can authenticate and send arbitrary
> commands.

Fun stuff. I suspected something like this would be possible.

This is why all the Tor users out there should run Tor 0.1.2.17 (released
Aug 30 2007) or 0.2.0.6-alpha or later (released Aug 26 2007).

Let us know if you find an attack that works on these versions. :)

> To summarize, Tor users with the following conditions may be at risk:
>   - vulnerable version of Java enabled in web browser
[snip]

If you're running vulnerable versions of Java, you may well be screwed
for other reasons. Another good reason for us to get the dev version of
Torbutton into good shape.

Thanks,
--Roger