[tor-relays] Network scan results for CVE-2016-5696 / RFC5961

Fri Dec 9 07:12:14 UTC 2016

Hi Ivan and tor-relay operators,

The Golang rewrite of the scanner is cool!

btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go
instead of using https://github.com/google/gopacket

Maybe you could also implement my Tor guard discovery
attack that uses this vulnerability?

I've been asked to write a proof of concept but I don't feel motivated to do so.
Also, there are some doubts about weather this guard discovery attack would be
feasible on the real Tor network... though we could probably make it work in a test network.

Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible
for me to post my theoretic Tor guard discovery attack, right?

Sincerely,

David

On Fri, Dec 09, 2016 at 05:31:00AM +0000, Ivan Markin wrote:
> Hi tor-relays@,
> 
> Getting back with more results on this.
> I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor
> network several times [2].
> First results I've got using technique similar to David's (sending 500
> RSTs in one burst), second ones are got via another method (send 111
> RSTs in burst and then 111 RSTs 1 second later*).
> 
> Current statistics:
> 32% of Linux relays are vulnerable. That is 23% of Tor network.
> 
> --
> 
> Now some magic! Those 3 NetBSD relays from before still behave like they
> are vulnerable Linuxes (as they did in David's scanner, and two of mine):
> 
> $ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable
> 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on
> NetBSD,200,1.847787ms,1.834238ms,vulnerable
> 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor
> 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable
> 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9
> on NetBSD,200,3.936046ms,3.777501ms,vulnerable
> 
> Yes, nmap -O reports them to be NetBSD hosts.
> 
> Actually I don't know what's going on here. Thoughts:
>  * relays are behind vulnerable Linux middleboxes
>  * RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
>  * ???
> 
> Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0
> challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was
> 'kinda' vulnerable (some small random amount of ChACKs). Probably I did
> something wrong here.
> I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
> 
> I've lurked through NetBSD's src code and found some bits of RFC5961.
> But I was unable to see anything offensive.
> 
> If someone have some insight on this dark magic, that would be awesome!
> 
> ---
> 
> Thanks for bringing up the diversity issue in light of this CVE, Alex!
> Just to make everyone feel sad today:
> 
> $ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l
>     6435
> $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l
>      550
> 
> Sadly, Linuxes are typical ~2σ of the network. ;(
> Please run more different (e.g. BSD) relays!
> 
> [*] I think it should be more accurate.
> [1] https://github.com/nogoegst/grill
> [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
> 
> --
> Happy life without suffering,
> Ivan Markin
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161209/625b2e42/attachment.sig>