[tor-bugs] #17674 [Tor]: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 24 15:42:45 UTC 2015
#17674: circuit_handle_first_hop doesn't respect ExtendAllowPrivateAddresses
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: Very High | Milestone: Tor:
Component: Tor | 0.2.8.x-final
Severity: Major | Version:
Keywords: dos tor-hs 027-backport | Resolution:
026-backport security | Actual Points:
Parent ID: #17178 | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by teor):
This is a general case of the bug reported in #8976.
From IRC:
{{{
teor
we believe whatever address and port are sent to us in rendezvous protocol
versions 2 & 3
dgoulet
oh rly!?
teor
without checking the consensus
dgoulet
I vaguely remember being a feature of tor that is being able to exit at an
address that is _not_ an exit
teor
So for HS, this means that a three-hop circuit can be made to an arbitrary
address
dgoulet
(or not in consensus)
teor
For RSOS, this means that a one-hop circuit can be made to an arbitrary
address
In either case, there should be a check for a private address
asn
i thought this was fixed by robert at some point
teor
Facebook's logs suggest it has not been, and I can't see it in the code
asn
but i see how it's worse for RSOS
teor
Certainly Tor will refuse to send cells, but it will still connect
I don't think we need that feature, unless we sometimes connect to
ourselves
I think Robert fixed it by refusing to send cells to extend to a private
address
Which doesn't handle the RSOS one-hop case, or any other case where Tor
connects directly to a private address
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17674#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list