Hi Ivan and tor-relay operators,
The Golang rewrite of the scanner is cool!
btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go instead of using https://github.com/google/gopacket
Maybe you could also implement my Tor guard discovery attack that uses this vulnerability?
I've been asked to write a proof of concept but I don't feel motivated to do so. Also, there are some doubts about weather this guard discovery attack would be feasible on the real Tor network... though we could probably make it work in a test network.
Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible for me to post my theoretic Tor guard discovery attack, right?
Sincerely,
David
On Fri, Dec 09, 2016 at 05:31:00AM +0000, Ivan Markin wrote:
Hi tor-relays@,
Getting back with more results on this. I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor network several times [2]. First results I've got using technique similar to David's (sending 500 RSTs in one burst), second ones are got via another method (send 111 RSTs in burst and then 111 RSTs 1 second later*).
Current statistics: 32% of Linux relays are vulnerable. That is 23% of Tor network.
--
Now some magic! Those 3 NetBSD relays from before still behave like they are vulnerable Linuxes (as they did in David's scanner, and two of mine):
$ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on NetBSD,200,1.847787ms,1.834238ms,vulnerable 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9 on NetBSD,200,3.936046ms,3.777501ms,vulnerable
Yes, nmap -O reports them to be NetBSD hosts.
Actually I don't know what's going on here. Thoughts:
- relays are behind vulnerable Linux middleboxes
- RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
- ???
Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0 challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was 'kinda' vulnerable (some small random amount of ChACKs). Probably I did something wrong here. I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
I've lurked through NetBSD's src code and found some bits of RFC5961. But I was unable to see anything offensive.
If someone have some insight on this dark magic, that would be awesome!
Thanks for bringing up the diversity issue in light of this CVE, Alex! Just to make everyone feel sad today:
$ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l 6435 $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l 550
Sadly, Linuxes are typical ~2σ of the network. ;( Please run more different (e.g. BSD) relays!
[*] I think it should be more accurate. [1] https://github.com/nogoegst/grill [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
-- Happy life without suffering, Ivan Markin _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays