[tor-bugs] #1859 [Tor Client]: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and client

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Aug 24 15:10:19 UTC 2010


#1859: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and
client
------------------------+---------------------------------------------------
 Reporter:  mwenge      |       Owner:                     
     Type:  defect      |      Status:  needs_review       
 Priority:  normal      |   Milestone:                     
Component:  Tor Client  |     Version:  Tor: 0.2.2.12-alpha
 Keywords:              |      Parent:                     
------------------------+---------------------------------------------------

Comment(by tractor):

 Routerinfo_t returned by router_get_by_nickname() while it's not a part of
 routerlist have been just a bug on the fact.
 For an attack will use the conditions under which this pseudo-element list
 is returned
 at:
 {{{
   if (server_mode(get_options()) &&
       !strcasecmp(nickname, get_options()->Nickname))
     return router_get_my_routerinfo();
 }}}
 combining a role of client and an exit relay allows an attacker to
 identify a relay that victim used as OP.

 The most simple scenario of such a case includes:
 relay (0.2.1.x or 0.2.2.x with allowed dotexit) used as a client,
 nickname of relay selected as (conflicts) that the auths assigns the
 Unnamed flag to it.

 Such client will be the only one who can use own exit relay with Unnamed
 flag.

 We can assume that the scenario is unlike in wild: does not affect clients
 in general and a small part of relay only which are probably no one will
 be used simultaneously with the OP. This is true.
 But the mistake does not cease to be a mistake, an extreme edge case of
 very near to those who are could be with non zero chance susceptible to
 such attacks or to any a new bugs as a result of such behavior.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1859#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list