[tor-bugs] #8976 [Tor]: rend_service_introduce() doesn't notice if the rendezvous point is on 127.0.0.1

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 29 22:39:06 UTC 2016 

#8976: rend_service_introduce() doesn't notice if the rendezvous point is on
127.0.0.1
---------------------------------+------------------------------------
 Reporter:  arma                 |          Owner:  teor
     Type:  defect               |         Status:  needs_review
 Priority:  Medium               |      Milestone:  Tor: 0.2.7.x-final
Component:  Tor                  |        Version:  Tor: 0.2.3.21-rc
 Severity:  Normal               |     Resolution:
 Keywords:  tor-hs 027-backport  |  Actual Points:
Parent ID:                       |         Points:
 Reviewer:                       |        Sponsor:  SponsorR-must
---------------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:23 andrea]:
 > Hmmm - seems hard to imagine what conceivable attack could use such a
 rendezvous address, since if it did go as far as trying to build a circuit
 to one, it would be from some relay picked by the HS Tor and not under
 attacker control, and not from the HS Tor's location.  Is there a
 differential behavior in that case depending on whether the address is
 reachable, though?

 Whatever the address, the HS will build a 3 relay path to it.
 Then, if it's an internal address, the HS refuses to send an extend cell.
 If it's publicly routable, the HS sends an extend cell and connects as
 normal.

 (After this patch, if it's an internal address, the HS refuses to build a
 path.)

 > I was leaning toward don't-backport on this one since there didn't seem
 to be any plausible exploitability; do you really think there might be
 something going on, teor?

 I can't imagine how this behaviour is exploitable, but it does allow an
 attacker to make the HS build lots of circuits through its guard, which
 are then terminated in a predictable manner by the HS.

 It could simply be a bug in some tor clients.

 I could go either way with a backport, I suggested one because I'd rather
 be safe than sorry.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8976#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list