[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #6710 [Tor Relay]: Tor Relays accept arbitrary destination address and port and leak information about reachability
#6710: Tor Relays accept arbitrary destination address and port and leak
information about reachability
-----------------------+----------------------------------------------------
Reporter: thejh | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor Relay | Version: Tor: unspecified
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Tor relays accept arbitrary destination address-port-combinations,
including RFC1918 addresses, in EXTEND commands, and leak information
about reachability. Here's a little, unreliable, pretty much broken PoC:
https://github.com/thejh/tor/compare/master...fake_relay
Usage: Configure the target relay as bridge, set loglevel to notice and
run the modified tor client with some IP and port in the bridges network
as last two parameters (for some reason, it seems like the IP has to be in
backwards notation... don't ask me why).
Example:
$ src/or/tor -f torrc 1.178.168.192 80
[...]
Aug 27 10:30:34.000 [notice] CREATING SPOOFED CIRCUIT
Aug 27 10:30:34.000 [notice] CIRCUIT WAS DESTROYED
$ src/or/tor -f torrc 2.178.168.192 80
[...]
Aug 27 10:30:00.000 [notice] CREATING SPOOFED CIRCUIT
Aug 27 10:30:03.000 [notice] CIRCUIT WAS DESTROYED
192.168.178.1 is up, 192.168.178.2 is down. As you can see, the response
time reflects this.
If there are firewalls that DROP traffic to ports that aren't witelisted,
it might even be possible to scan them to figure out which ports are
whitelisted, thereby figuring out operating system and network structure
details.
Also, it might be possible to extend this attack if the relay uses global
IP sequence numbers - opening a TCP connection, exchanging packets and
closing it certainly takes more IP packets than one SYN packet, right?
This would mean that a variant of idle scanning could be used.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6710>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs