[tor-bugs] #6710 [Tor Relay]: Tor Relays accept arbitrary destination address and port and leak information about reachability

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Aug 27 08:43:00 UTC 2012 

#6710: Tor Relays accept arbitrary destination address and port and leak
information about reachability
-----------------------+----------------------------------------------------
 Reporter:  thejh      |          Owner:                  
     Type:  defect     |         Status:  new             
 Priority:  normal     |      Milestone:  Tor: unspecified
Component:  Tor Relay  |        Version:  Tor: unspecified
 Keywords:             |         Parent:                  
   Points:             |   Actualpoints:                  
-----------------------+----------------------------------------------------
 Tor relays accept arbitrary destination address-port-combinations,
 including RFC1918 addresses, in EXTEND commands, and leak information
 about reachability. Here's a little, unreliable, pretty much broken PoC:
 https://github.com/thejh/tor/compare/master...fake_relay

 Usage: Configure the target relay as bridge, set loglevel to notice and
 run the modified tor client with some IP and port in the bridges network
 as last two parameters (for some reason, it seems like the IP has to be in
 backwards notation... don't ask me why).

 Example:
 $ src/or/tor -f torrc 1.178.168.192 80
 [...]
 Aug 27 10:30:34.000 [notice] CREATING SPOOFED CIRCUIT
 Aug 27 10:30:34.000 [notice] CIRCUIT WAS DESTROYED

 $ src/or/tor -f torrc 2.178.168.192 80
 [...]
 Aug 27 10:30:00.000 [notice] CREATING SPOOFED CIRCUIT
 Aug 27 10:30:03.000 [notice] CIRCUIT WAS DESTROYED

 192.168.178.1 is up, 192.168.178.2 is down. As you can see, the response
 time reflects this.

 If there are firewalls that DROP traffic to ports that aren't witelisted,
 it might even be possible to scan them to figure out which ports are
 whitelisted, thereby figuring out operating system and network structure
 details.

 Also, it might be possible to extend this attack if the relay uses global
 IP sequence numbers - opening a TCP connection, exchanging packets and
 closing it certainly takes more IP packets than one SYN packet, right?
 This would mean that a variant of idle scanning could be used.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6710>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list