[tor-relays] Network scan results for CVE-2016-5696 / RFC5961

Fri Dec 9 05:36:34 UTC 2016

> On 9 Dec. 2016, at 16:31, Ivan Markin <twim at riseup.net> wrote:
> 
> Hi tor-relays@,
> 
> Getting back with more results on this.
> I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor
> network several times [2].
> First results I've got using technique similar to David's (sending 500
> RSTs in one burst), second ones are got via another method (send 111
> RSTs in burst and then 111 RSTs 1 second later*).
> 
> Current statistics:
> 32% of Linux relays are vulnerable. That is 23% of Tor network.
> 
> --
> 
> Now some magic! Those 3 NetBSD relays from before still behave like they
> are vulnerable Linuxes (as they did in David's scanner, and two of mine):
> 
> $ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable
> 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on
> NetBSD,200,1.847787ms,1.834238ms,vulnerable
> 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor
> 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable
> 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9
> on NetBSD,200,3.936046ms,3.777501ms,vulnerable
> 
> Yes, nmap -O reports them to be NetBSD hosts.
> 
> Actually I don't know what's going on here. Thoughts:
> * relays are behind vulnerable Linux middleboxes
> * RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
> * ???
> 
> Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0
> challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was
> 'kinda' vulnerable (some small random amount of ChACKs). Probably I did
> something wrong here.
> I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
> 
> I've lurked through NetBSD's src code and found some bits of RFC5961.
> But I was unable to see anything offensive.
> 
> If someone have some insight on this dark magic, that would be awesome!
> 
> ---
> 
> Thanks for bringing up the diversity issue in light of this CVE, Alex!
> Just to make everyone feel sad today:
> 
> $ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l
>    6435
> $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l
>     550
> 
> Sadly, Linuxes are typical ~2σ of the network. ;(
> Please run more different (e.g. BSD) relays!
> 
> [*] I think it should be more accurate.
> [1] https://github.com/nogoegst/grill
> [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de

Hi Ivan,

Thanks for doing this work, and the reminder to upgrade (or install a
non-Linux OS).

For Tor client path selection, it is typically the vulnerable consensus
weight that matters, not the number of relays.
(Except in the case of HSDirs, where the hash ring is unweighted.)

Have you looked at the vulnerable consensus weight proportion?

T

-- 
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------