[tor-bugs] #13256 [Torsocks]: torsocks 1.3 possibly leaks username

[Tor Bug Tracker & Wiki]

#13256: torsocks 1.3 possibly leaks username
----------------------+-------------------------
 Reporter:  p4blog    |          Owner:  dgoulet
     Type:  defect    |         Status:  new
 Priority:  major     |      Milestone:
Component:  Torsocks  |        Version:
 Keywords:  leak      |  Actual Points:
Parent ID:            |         Points:
----------------------+-------------------------
 Hi!

 Disclaimer:
 Not sure if I should have opened this bug report since it's for an old
 version and torsocks is now on 2.0, but 1.3 is the current version of
 torsocks in the Ubuntu 14.04 (LTS) repositories, which means it will still
 be so for some time.

 Recently while playing with torsocks, wget and wireshark, I discovered
 something that looks like the name of the user running torsocks is leaked
 somehow. It's reproducible always that https is not used and torsocks is
 configured to use SOCKS4 (SOCKS5 unaffected). Please see the attached a
 screenshot for easier explanation.

 Thankfully, these bytes won't leave the loopback interface hardly ever
 thanks to the default configuration of Tor, but in some configurations it
 could be considered dangerous. Furthermore, doc/socks/socks-extensions.txt
 says that usernames are ignored in SOCKS4 and SOCKS4A. Isn't it better to
 send random characters then instead of the user running it?

 I haven't had a deep look at the torsocks code but I think these calls are
 the key :
 src/socks.c:    user = getpwuid(getuid());

 These calls seem that were there since the beginning of the project but
 are not anymore in the latest version.

 If you considered this is a bug, we should notify distributions. Otherwise
 if this behaviour is expected, just close this report ;)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13256>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online