[tor-bugs] #5402 [Tor Client]: #5090 allows post-auth heap overflow

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#5402: #5090 allows post-auth heap overflow
------------------------+---------------------------------------------------
 Reporter:  arma        |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  major       |      Milestone:  Tor: 0.2.2.x-final
Component:  Tor Client  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------
 Robert Connolly from Matta Consulting reports that the config parsing bug
 in #5090 (which he found independently) is exploitable.

 Examples for triggering it include
 {{{
 SETCONF
 aaaa="bbbbbbbbbbbb\x"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 }}}
 and setting a torrc line of
 {{{
 ContactInfo "Here I
 \x"amaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 }}}

 Fortunately, it looks like it can only be triggered once you've
 authenticated to the control port (in which case you can already screw the
 user) or if you can edit the torrc file (same). So it's not harmful.

 Is that really true? Are there any other instances of the bug? Any other
 ways of reaching it? Does the different trust model for the control socket
 change the above paragraph?

 Jake opened #5210 to avoid future things like this being exploitable in
 practice.

 And Nick points out:
 {{{
 We ought to audit uses of get_escaped_string_length in control.c
 nevertheless.  It is a *PHENOMINALLY BAD IDEA* in C to have
 independent functions that count the length of something and that
 parse it.  We should look for other cases of that antipattern too.
 }}}

 (This ticket started out as a secteam discussion, until we decided that it
 didn't look like a remote execution bug.)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5402>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs