On 9 Dec. 2016, at 16:31, Ivan Markin twim@riseup.net wrote:
Hi tor-relays@,
Getting back with more results on this. I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor network several times [2]. First results I've got using technique similar to David's (sending 500 RSTs in one burst), second ones are got via another method (send 111 RSTs in burst and then 111 RSTs 1 second later*).
Current statistics: 32% of Linux relays are vulnerable. That is 23% of Tor network.
--
Now some magic! Those 3 NetBSD relays from before still behave like they are vulnerable Linuxes (as they did in David's scanner, and two of mine):
$ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on NetBSD,200,1.847787ms,1.834238ms,vulnerable 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9 on NetBSD,200,3.936046ms,3.777501ms,vulnerable
Yes, nmap -O reports them to be NetBSD hosts.
Actually I don't know what's going on here. Thoughts:
- relays are behind vulnerable Linux middleboxes
- RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
- ???
Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0 challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was 'kinda' vulnerable (some small random amount of ChACKs). Probably I did something wrong here. I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
I've lurked through NetBSD's src code and found some bits of RFC5961. But I was unable to see anything offensive.
If someone have some insight on this dark magic, that would be awesome!
Thanks for bringing up the diversity issue in light of this CVE, Alex! Just to make everyone feel sad today:
$ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l 6435 $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l 550
Sadly, Linuxes are typical ~2σ of the network. ;( Please run more different (e.g. BSD) relays!
[*] I think it should be more accurate. [1] https://github.com/nogoegst/grill [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
Hi Ivan,
Thanks for doing this work, and the reminder to upgrade (or install a non-Linux OS).
For Tor client path selection, it is typically the vulnerable consensus weight that matters, not the number of relays. (Except in the case of HSDirs, where the hash ring is unweighted.)
Have you looked at the vulnerable consensus weight proportion?
T