[tor-relays] network scan results for CVE-2016-5696 / rfc 5961

dawuud dawuud at riseup.net
Fri Dec 2 02:00:46 UTC 2016 


Hello,

I think the best approach for elliminating the false positives
would be to make the scanner perform the timing inference attack
as described in the paper.

Unfortunately I don't have enough time to look into this more.


Cheers,
David


On Thu, Nov 17, 2016 at 09:22:47PM +0000, dawuud wrote:
> 
> Hi all,
> 
> I'm sorry that there are some false positives.
> I did previously test against a FreeBSD tor relay and presumed NetBSD
> would have a similar result.
> 
> Thanks for looking closely at this Ivan.
> It sounds like the scanner needs to be fixed.
> I'll try to test with a netbsd host soon.
> 
> 
> Cheers!
> 
> David
> 
> 
> On Thu, Nov 17, 2016 at 07:46:00PM +0000, Ivan Markin wrote:
> > Hi David,
> > 
> > Thanks for your work!
> > 
> > dawuud:
> > > I added the scan output to the repo, this includes the output csv file
> > > and a list of vulnerable relays:
> > > 
> > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> > 
> > FYI, I produced results with platform strings and fingerprints based on
> > this data [1].
> > 
> > It's pretty interesting that there are not only Linux relays are
> > 'vulnerable' (90 < ChACKs < 220) in David's scan:
> > % cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
> > grep Tor
> > 
> > Tor 0.2.8.9 on
> > NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
> > Tor 0.2.5.10 on
> > NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
> > Tor 0.2.8.9 on
> > NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
> > Tor 0.2.7.6 on
> > FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
> > Tor 0.2.8.9 on
> > FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
> > Tor 0.2.7.6 on
> > NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
> > 
> > After I've rescanned these relays myself for several times, FreeBSD ones
> > stopped being 'vulnereable' while NetBSD ones somehow still reproduce
> > 'vulnerable' Linux status.
> > 
> > I don't know why does this happen, maybe someone can scan these relays
> > (or maybe all NetBSD ones due to TCP stack specifics) themselves and get
> > different results. Anyway these are just curious false positives.
> > 
> > [1]
> > https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv
> > 
> > --
> > Ivan Markin
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161202/a4f2fc03/attachment.sig>

More information about the tor-relays mailing list