[tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Ivan Markin
twim at riseup.net
Thu Nov 17 19:46:00 UTC 2016
Hi David,
Thanks for your work!
dawuud:
> I added the scan output to the repo, this includes the output csv file
> and a list of vulnerable relays:
>
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
FYI, I produced results with platform strings and fingerprints based on
this data [1].
It's pretty interesting that there are not only Linux relays are
'vulnerable' (90 < ChACKs < 220) in David's scan:
% cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
grep Tor
Tor 0.2.8.9 on
NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
Tor 0.2.5.10 on
NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
Tor 0.2.8.9 on
NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
Tor 0.2.7.6 on
FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
Tor 0.2.8.9 on
FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
Tor 0.2.7.6 on
NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
After I've rescanned these relays myself for several times, FreeBSD ones
stopped being 'vulnereable' while NetBSD ones somehow still reproduce
'vulnerable' Linux status.
I don't know why does this happen, maybe someone can scan these relays
(or maybe all NetBSD ones due to TCP stack specifics) themselves and get
different results. Anyway these are just curious false positives.
[1]
https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv
--
Ivan Markin
More information about the tor-relays
mailing list