[tor-bugs] #18101 [Applications/Tor Browser]: IP leak from Windows UI dialog with URI

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 17 00:04:03 UTC 2017

#18101: IP leak from Windows UI dialog with URI
 Reporter:  uileak                               |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-disk-leak, tbb-proxy-bypass,     |  Actual Points:
  TorBrowserTeam201711R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by pospeselr):

 Wow, this is janky.  Definitely agree with cypherpunks that eventually
 firefox should probably handle file-dialogs internally the same way
 everywhere.  Otherwise we're just waiting for GTK/KDE/MacOS/Windows devs
 to break us.

 === Code Fixes:

 ::GetDlgItemText truncates the requested string based on the nMaxCount
 provided.  Given that scheme part of the URI (http, https, ftp, etc) is
 going to be short, does it make sense to have a smaller buffer?

 messageBuffer ought to just be an HLOCAL (which is just a typedef'd HANDLE
 which itself is a typede'd void*) rather than LPTSTR.  The memory
 allocated by ::FormatMessageW is done so using ::LocalAlloc.  You also
 need to add a ::LocalFree(messageBuffer) call after we're finished with

 === Approach in General:

 Checking the URI string for ':^^/^^/' is not sufficient.  Playing around
 in a Win10 VM, you can access SMB shares via strings like:

 * {{{ \\Hostname\Path\To\File.txt }}}
 * {{{ \\\Path\To\File.txt }}}

 However, this is sort of irrelevant because (on Win10 at least) the file
 explorer does DNS and LLMNR (for local shares) queries AS YOU TYPE for
 SMB.  So for instance, if you have an SMB share of the form
 {{{\\other\shared}}} as soon as you type that '\' before shared an LLMNR
 request is sent out.  Same story if you query {{{\\wwww.cnn.com\shared}}}
 a DNS request gets sent out.  The requests will also be triggered on

 This auto-lookup does not occur with https/http/ftp URIs, only windows SMB
 strings starting with ^^\^^\ .

 After a fair amount of digging today it doesn't look like there's an easy
 way to fix this.  I'd hoped a fix would be as easy as detouring the
 relevant DNS API, but the DNS request doesn't appear to be coming from the
 process which opens the file dialog.  The URL string does get passed
 through RPC APIs several times (which makes me think some service is doing
 the request).

 We might be able to detour whichever root offending function is causing
 the DNS request to happen but that will require more investigation, and
 would be inherently fragile and would need to be tested on every Windows

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18101#comment:70>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list