How are hackers breaking Tor and trojan users?

[Robert Hogan]

On Wednesday 11 June 2008 06:17:38 Roger Dingledine wrote:
<snip>
>
> He may also be referring to attacks where a local application (like the
> browser, but it doesn't have to be) can be tricked into connecting to
> your local Tor control port, like Kyle's attack from last year:
> http://archives.seul.org/or/announce/Sep-2007/msg00000.html
> This was a great attack, but I think the latest versions of Torbutton
> and Vidalia make it a non-issue going forward. I would love to hear if
> you think otherwise.
>

On a default Tor installation from source, i.e. with no authentication mechanism 
enabled, it is still possible successfully to send commands to the controlport 
if the 'authenticate' command is not preceded by any garbage.

If someone were to develop a browser-based exploit that managed to get 
the 'authenticate', with no preceding bytes, to the controlport then they're in. 
I believe this is extremely difficult to do, and if such an attack was the 
subject of arrakis' and kyle's paper they would have much bigger fish to fry 
than just Tor.

One way of preventing such an attack, however unlikely, would be to mandate a 
conversation such as:

robert at darkstar:~$ telnet localhost 9051
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Challenge is: 0a5f37d2edd284cb
0a5f37d2edd284cb
250 OK
authenticate
250 OK

In the above sequence the controller has had to inspect the challenge and parrot 
it back in order to be allowed issue an authenticate command.

As far as I'm aware this would defeat a html-form based attack of the sort 
released last year, since such attacks cannot process feedback from the port 
they're attacking. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080611/5f9ffa33/attachment.pgp>