[tor-bugs] #17674 [Tor]: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses

Mon Dec 7 22:57:03 UTC 2015

#17674: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:
     Type:  defect                               |         Status:
 Priority:  Very High                            |  needs_information
Component:  Tor                                  |      Milestone:  Tor:
 Severity:  Major                                |  0.2.8.x-final
 Keywords:  dos tor-hs 027-backport              |        Version:
  026-backport security                          |     Resolution:
Parent ID:  #17178                               |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:6 dgoulet]:
 > Replying to [comment:4 teor]:
 > > Please see my branch first-hop-no-private at
 https://github.com/teor2345/tor.git
 > >
 > > It modifies circuit_handle_first_hop to refuse any connections to a
 private address with a protocol error, unless ExtendAllowPrivateAddresses
 is set.
 > >
 > > This should catch this issue with relay extends, and hidden service /
 RSOS rendezvous from badly behaved clients.
 >
 > I've played around with this. I've modified a tor client to change the
 RP extend info to be a IP/PORT I control (nc -l PORT basically). The
 result, and somehow expected is that the remote HS second middle when
 trying to extend to the RP does a TLS connection to my IP/PORT.

 This is the behaviour the patch is intended to prevent - we don't want
 clients being able to convince HSs to make a TLS connection to anywhere on
 the Internet via their rendezvous second middle relay.

 > I've modified an HS I own to always pick the second middle to be a relay
 that I controlled (thus could look at the log). I then changed the RP info
 to 127.0.0.1. I see that my pinned relay is logging me:
 >
 > {{{
 > Dec 07 17:31:56.000 [warn] Client asked me to extend to a private
 address
 > }}}
 >
 > Which is denied by `circuit_extend`. So maybe the use case I've tested
 is wrong but it doesn't seem we go through "handle_first_hop" when
 extending to the RP (for hidden service). I would be curious why RSOS
 doesn't also use `circuit_extend` then?

 The current behaviour of HSs is to make a TLS connection from the second
 middle, then refuse to send the extend cell in "circuit_extend".

 The first hop uses "handle_first_hop". Subsequent hops use
 "circuit_extend".

 Since a RSOS only makes one-hop rendezvous circuits, we need to stop this
 in "handle_first_hop" as well.

 >
 > (All this testing required me to change the HS, client and middle relay
 so I might have gone wrong).
 >

 It looks like you're on the right track.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17674#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online