Attacking the Tor Control Port with Java

Gregory Fleischer (Lists) gfleischer.lists at gmail.com
Wed Oct 10 05:59:56 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3 October 2007, Sun announced several critical security updates for
the Java Runtime Environment at [1].  In particular, [2] describes how
network access restrictions can be circumvented to connect to
arbitrary hosts by utilizing DNS rebinding.  The paper at [3]
summarizes some of the current research into the issues of DNS
rebinding.

Java exposes a programmatic sockets interface, and a malicious applet
can construct properly formed control port commands.  If the control
port is enabled with the NULL authentication and accessible to the web
browser, the malicious applet can authenticate and send arbitrary
commands.

To summarize, Tor users with the following conditions may be at risk:
   - vulnerable version of Java enabled in web browser
   - control port enabled with NULL authentication and accessible

Use of proxy switching browser add-ons (e.g., Torbutton, FoxyProxy)
may increase this risk if the Java Virtual Machine can perform
arbitrary DNS resolution through the native operating system resolver.

Possible workarounds:
   - disable Tor control port
   - if control port is required, use 'HashedControlPassword' option
   - disable Java in the web browser and/or uninstall from OS
   - if Java is required, consider a virtual machine solution such as
     JanusVM [4] or firewalled environment that only allows DNS
     requests through web browser

The latest Java downloads are available at [5] or from your operating
system vendor (or not, depending on how differently you think).

Additional details and demonstration code at [6].

[1] - http://blogs.sun.com/security/
[2] - http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1
[3] - http://crypto.stanford.edu/dns/
[4] - http://janusvm.peertech.org/
[5] - http://java.com/ or http://java.sun.com/javase/downloads/
[6] - http://pseudo-flaw.net/tor/attacking-tor-control-port-with-java/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHDGpcWbVJrJm/lrsRArg1AKCtzvSnefOSg6c0D9HLpbe9n6+yKACgqFAF
Nu38uPhfyAw5vRVdpG3fRuA=
=C//u
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list