[tor-commits] [tor/maint-0.2.3] Disable extending to private/internal addresses by default

nickm at torproject.org nickm at torproject.org
Mon Aug 27 20:15:57 UTC 2012 

commit b7c172c9ec762363562220a354feefc521970d7c
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Aug 27 11:16:44 2012 -0400

    Disable extending to private/internal addresses by default
    
    This is important, since otherwise an attacker can use timing info
    to probe the internal network.
    
    Also, add an option (ExtendAllowPrivateAddresses) so that
    TestingTorNetwork won't break.
    
    Fix for bug 6710; bugfix on all released versions of Tor.
---
 changes/bug6710       |    7 +++++++
 doc/tor.1.txt         |    6 ++++++
 src/or/circuitbuild.c |    7 +++++++
 src/or/config.c       |    2 ++
 src/or/or.h           |    4 +++-
 5 files changed, 25 insertions(+), 1 deletions(-)

diff --git a/changes/bug6710 b/changes/bug6710
new file mode 100644
index 0000000..69a3c7e
--- /dev/null
+++ b/changes/bug6710
@@ -0,0 +1,7 @@
+  o Major bugfixes (security):
+    - Reject any attempt to extend to an internal address. Without
+      this fix, a router could be used to probe addresses on an
+      internal network to see whether they were accepting
+      connections. Fix for bug 6710; bugfix on all released versions
+      of Tor.
+
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index e7ba848..7e0751b 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1470,6 +1470,11 @@ is non-zero):
     its extra-info documents that it uploads to the directory authorities.
     (Default: 1)
 
+**ExtendAllowPrivateAddresses** **0**|**1**::
+    When this option is enabled, Tor routers allow EXTEND request to
+    localhost, RFC1918 addresses, and so on. This can create security issues;
+    you should probably leave it off. (Default: 0)
+
 DIRECTORY SERVER OPTIONS
 ------------------------
 
@@ -1795,6 +1800,7 @@ The following options are used for running a testing Tor network.
        ClientRejectInternalAddresses 0
        CountPrivateBandwidth 1
        ExitPolicyRejectPrivate 0
+       ExtendAllowPrivateAddresses 1
        V3AuthVotingInterval 5 minutes
        V3AuthVoteDelay 20 seconds
        V3AuthDistDelay 20 seconds
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 39a223b..f11bebf 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -2432,6 +2432,13 @@ circuit_extend(cell_t *cell, circuit_t *circ)
     return -1;
   }
 
+  if (tor_addr_is_internal(&n_addr, 0) &&
+      !get_options()->ExtendAllowPrivateAddresses) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to extend to a private address");
+    return -1;
+  }
+
   /* Check if they asked us for 0000..0000. We support using
    * an empty fingerprint for the first hop (e.g. for a bridge relay),
    * but we don't want to let people send us extend cells for empty
diff --git a/src/or/config.c b/src/or/config.c
index 3970808..d5e80cc 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -276,6 +276,7 @@ static config_var_t _option_vars[] = {
   V(ExitPolicy,                  LINELIST, NULL),
   V(ExitPolicyRejectPrivate,     BOOL,     "1"),
   V(ExitPortStatistics,          BOOL,     "0"),
+  V(ExtendAllowPrivateAddresses, BOOL,     "0"),
   V(ExtraInfoStatistics,         BOOL,     "1"),
 
 #if defined (WINCE)
@@ -473,6 +474,7 @@ static const config_var_t testing_tor_network_defaults[] = {
   V(ClientRejectInternalAddresses, BOOL,   "0"),
   V(CountPrivateBandwidth,       BOOL,     "1"),
   V(ExitPolicyRejectPrivate,     BOOL,     "0"),
+  V(ExtendAllowPrivateAddresses, BOOL,     "1"),
   V(V3AuthVotingInterval,        INTERVAL, "5 minutes"),
   V(V3AuthVoteDelay,             INTERVAL, "20 seconds"),
   V(V3AuthDistDelay,             INTERVAL, "20 seconds"),
diff --git a/src/or/or.h b/src/or/or.h
index 908daa6..9074083 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3029,8 +3029,10 @@ typedef struct {
   config_line_t *RecommendedVersions;
   config_line_t *RecommendedClientVersions;
   config_line_t *RecommendedServerVersions;
-  /** Whether dirservers refuse router descriptors with private IPs. */
+  /** Whether dirservers allow router descriptors with private IPs. */
   int DirAllowPrivateAddresses;
+  /** Whether routers accept EXTEND cells to routers with private IPs. */
+  int ExtendAllowPrivateAddresses;
   char *User; /**< Name of user to run Tor as. */
   char *Group; /**< Name of group to run Tor as. */
   config_line_t *ORPort_lines; /**< Ports to listen on for OR connections. */

More information about the tor-commits mailing list