[tor-bugs] #5402 [Tor Client]: #5090 allows post-auth heap overflow
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Mar 16 03:23:19 UTC 2012
#5402: #5090 allows post-auth heap overflow
------------------------+---------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Robert Connolly from Matta Consulting reports that the config parsing bug
in #5090 (which he found independently) is exploitable.
Examples for triggering it include
{{{
SETCONF
aaaa="bbbbbbbbbbbb\x"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
}}}
and setting a torrc line of
{{{
ContactInfo "Here I
\x"amaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
}}}
Fortunately, it looks like it can only be triggered once you've
authenticated to the control port (in which case you can already screw the
user) or if you can edit the torrc file (same). So it's not harmful.
Is that really true? Are there any other instances of the bug? Any other
ways of reaching it? Does the different trust model for the control socket
change the above paragraph?
Jake opened #5210 to avoid future things like this being exploitable in
practice.
And Nick points out:
{{{
We ought to audit uses of get_escaped_string_length in control.c
nevertheless. It is a *PHENOMINALLY BAD IDEA* in C to have
independent functions that count the length of something and that
parse it. We should look for other cases of that antipattern too.
}}}
(This ticket started out as a secteam discussion, until we decided that it
didn't look like a remote execution bug.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5402>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list