[tbb-bugs] #16813 [Tor Browser]: Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 14 10:40:06 UTC 2015


#16813: Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers
-----------------------------+----------------------
     Reporter:  teor         |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------

Old description:

> From IRC #tor
>
> nettezzz
> hello
> I would like to share with you one interesting findings that I did
> recently and that is big security flaw related to using the tor
> simply said, a lot of distributions use by default enabled nscd and nscd
> leaks the cached data to the system wide nameserver by refreshing its
> cache entries, eg:
> you have your browser configured to use SOCKS proxy including DNS
> requests going through .. these dns replies ends up in nscd and nscd
> periodically refreshes the entries by asking system-wide set nameservers
> so maybe the solution would be that TOR also check if nscd is running and
> on information level notices user that this might happen
> howto reproduce it: enable nscd (if not enabled) and from terminal with
> root'
> s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see
> periodically that your "tor browsed" sites leaks via DNS requests to your
> "normal" DNS
> I hope that this information will be useful for somebody
> whitanne_
> nettezzz: is this for the latest version of tor?
> nettezzz
> it's for all versions of tor
> whitanne_: probably a lot of linux users are not affected, but at least
> some major distros have enabled nscd by default - at least we in opensuse
> also in nscd manpage is not this "feature" documented
> Joost
> nettezzz: it appears people have noticed this in the past:
> https://tor.stackexchange.com/questions/4350/tor-dns-cached
> nettezzz
> indeed
> so I re-inveneted wheel :)
> Joost: I didn't find it even according to the tor ... I was seting up
> somewhere some SOCKS proxy and found it ... later on reproduced it with
> tor browser
> Joost
> it's mentioned in some places, I see now..
> https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin
> nettezzz
> indeed sorry for alarming ppl then ... I thought I've discovered an
> americas
> Joost
> but imo it's odd, since it seems like quite a leak
> nettezzz: don't be sorry! it appears that there is very little awareness
> of this
> nettezzz
> but anyhow, it happens still these days whilst the solution is probably
> rather simple 1) put this explicitely as a mention somewhere to tor
> browser, 2) adding a check tfor nscd to tor browser verification checks
> whitanne_
> nettezzz: maybe you could file a bug report or something
> nettezzz
> to be honest, I don't use tor and I don't even have a account to tor
> bugzilla ... so please fill bug for tor and I'm going to fill bug to our
> opensuse bugzilla that this is undocumented and probably insecure to have
> it by default enabled
> I simply reproduced this with latest tor browser because it was obvious
> that any other SOCKS proxy solution forwarding dns queries via proxy will
> be affected

New description:

 From IRC #tor

 nettezzz
 hello
 I would like to share with you one interesting findings that I did
 recently and that is big security flaw related to using the tor
 simply said, a lot of distributions use by default enabled nscd and nscd
 leaks the cached data to the system wide nameserver by refreshing its
 cache entries, eg:
 you have your browser configured to use SOCKS proxy including DNS requests
 going through .. these dns replies ends up in nscd and nscd periodically
 refreshes the entries by asking system-wide set nameservers
 so maybe the solution would be that TOR also check if nscd is running and
 on information level notices user that this might happen
 howto reproduce it: enable nscd (if not enabled) and from terminal with
 root'
 s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see
 periodically that your "tor browsed" sites leaks via DNS requests to your
 "normal" DNS
 I hope that this information will be useful for somebody

 whitanne_
 nettezzz: is this for the latest version of tor?

 nettezzz
 it's for all versions of tor
 whitanne_: probably a lot of linux users are not affected, but at least
 some major distros have enabled nscd by default - at least we in opensuse
 also in nscd manpage is not this "feature" documented

 Joost
 nettezzz: it appears people have noticed this in the past:
 https://tor.stackexchange.com/questions/4350/tor-dns-cached

 nettezzz
 indeed
 so I re-inveneted wheel :)
 Joost: I didn't find it even according to the tor ... I was seting up
 somewhere some SOCKS proxy and found it ... later on reproduced it with
 tor browser

 Joost
 it's mentioned in some places, I see now..
 https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin

 nettezzz
 indeed sorry for alarming ppl then ... I thought I've discovered an
 americas

 Joost
 but imo it's odd, since it seems like quite a leak
 nettezzz: don't be sorry! it appears that there is very little awareness
 of this

 nettezzz
 but anyhow, it happens still these days whilst the solution is probably
 rather simple 1) put this explicitely as a mention somewhere to tor
 browser, 2) adding a check tfor nscd to tor browser verification checks

 whitanne_
 nettezzz: maybe you could file a bug report or something

 nettezzz
 to be honest, I don't use tor and I don't even have a account to tor
 bugzilla ... so please fill bug for tor and I'm going to fill bug to our
 opensuse bugzilla that this is undocumented and probably insecure to have
 it by default enabled
 I simply reproduced this with latest tor browser because it was obvious
 that any other SOCKS proxy solution forwarding dns queries via proxy will
 be affected

--

Comment (by teor):

 Split each part of the conversation by newlines for readability

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16813#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list