[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

TT Security tortestprivacy at ro.ru
Tue Jan 21 21:43:48 UTC 2014



> 21 Январь 2014 г. 10:13:54 пользователь Mike Cardwell (tor at lists.grepular.com) написал:
> 
> If you can use XMLHttpRequest to perform a request against a machine
> on your LAN that isn't using CORS, and then read the response, then
> there is a bug, and you will get a healthily sized cheque from Google
> or Mozilla for reporting it to them. If you can't read the response
> then there isn't a bug. What you're seeing is: how the web works.
 
Hi ALL,

First of all, i would say i am a practician in the matter of testing.

What we have:
1. OS: Windows (i think all others can be included)
2. App: Tor Browser Bundle 3.5 (Firefox 24.2.0 in it) with default settings
3. Some WWW web-site (not local file:// scheme) it can be ANY other web-site that you visit by Tor
4. This web-site can access to LAN resources by sending query to http://127.0.0.1:port and GET THE ANSWER from application that listen to that port! Not matter how it listen on 127.0.0.1 or 0.0.0.0(ALL interfaces). With some conditions:

a.  Application is set to accept connections from loopback interface (127.0.0.1) by system firewall rules. For some firewalls there is no necessity to have allowing rules for that. And any application can LISTEN on 127.0.0.1 without any alerts from system firewall. This is really a potentialy hole!

b. Application decides to answer or not to that query. If it will be a standard web-server it can reject these queries by examination the Origin header. If application don't pay attention to the HTTP headers it will answer to the query. This can reduce the degree of problem but don't exclude it at all. For example it can be a very hidden malware that not detected by antivirus and it will be enable to invisibly communicate with it's "second part" when you visit some web-sites because it doesn't need in allowing rules in system firewall. Unbelievable scenario? :) but it can be! You can test such scenario manually: just create a simple app that listens on 127.0.0.1:7777 or any other port more than 1024, accepts connections and makes a simple answer, you will see this answer on http://tortestprivacy.url.ph/ when you will scan 7777 port.

I think it is better and simple to prohibit access to LAN resources by turning on ABE of NoScript Add-ON by default.

It's worth saying if you set the rules in your system firewall for Tor's Firefox to allow queries only for 9150 and 9151 ports(default settings) this also will close the hole. But if we need for Tor's Firefox connections to loopback interface by default, very often people open ALL ports of loopback interface, not only necessary ports.

--
Regards,
TT Security

 


More information about the tor-talk mailing list