[tbb-bugs] #16813 [Tor Browser]: Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 14 10:40:06 UTC 2015
#16813: Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers
-----------------------------+----------------------
Reporter: teor | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------
Old description:
> From IRC #tor
>
> nettezzz
> hello
> I would like to share with you one interesting findings that I did
> recently and that is big security flaw related to using the tor
> simply said, a lot of distributions use by default enabled nscd and nscd
> leaks the cached data to the system wide nameserver by refreshing its
> cache entries, eg:
> you have your browser configured to use SOCKS proxy including DNS
> requests going through .. these dns replies ends up in nscd and nscd
> periodically refreshes the entries by asking system-wide set nameservers
> so maybe the solution would be that TOR also check if nscd is running and
> on information level notices user that this might happen
> howto reproduce it: enable nscd (if not enabled) and from terminal with
> root'
> s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see
> periodically that your "tor browsed" sites leaks via DNS requests to your
> "normal" DNS
> I hope that this information will be useful for somebody
> whitanne_
> nettezzz: is this for the latest version of tor?
> nettezzz
> it's for all versions of tor
> whitanne_: probably a lot of linux users are not affected, but at least
> some major distros have enabled nscd by default - at least we in opensuse
> also in nscd manpage is not this "feature" documented
> Joost
> nettezzz: it appears people have noticed this in the past:
> https://tor.stackexchange.com/questions/4350/tor-dns-cached
> nettezzz
> indeed
> so I re-inveneted wheel :)
> Joost: I didn't find it even according to the tor ... I was seting up
> somewhere some SOCKS proxy and found it ... later on reproduced it with
> tor browser
> Joost
> it's mentioned in some places, I see now..
> https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin
> nettezzz
> indeed sorry for alarming ppl then ... I thought I've discovered an
> americas
> Joost
> but imo it's odd, since it seems like quite a leak
> nettezzz: don't be sorry! it appears that there is very little awareness
> of this
> nettezzz
> but anyhow, it happens still these days whilst the solution is probably
> rather simple 1) put this explicitely as a mention somewhere to tor
> browser, 2) adding a check tfor nscd to tor browser verification checks
> whitanne_
> nettezzz: maybe you could file a bug report or something
> nettezzz
> to be honest, I don't use tor and I don't even have a account to tor
> bugzilla ... so please fill bug for tor and I'm going to fill bug to our
> opensuse bugzilla that this is undocumented and probably insecure to have
> it by default enabled
> I simply reproduced this with latest tor browser because it was obvious
> that any other SOCKS proxy solution forwarding dns queries via proxy will
> be affected
New description:
From IRC #tor
nettezzz
hello
I would like to share with you one interesting findings that I did
recently and that is big security flaw related to using the tor
simply said, a lot of distributions use by default enabled nscd and nscd
leaks the cached data to the system wide nameserver by refreshing its
cache entries, eg:
you have your browser configured to use SOCKS proxy including DNS requests
going through .. these dns replies ends up in nscd and nscd periodically
refreshes the entries by asking system-wide set nameservers
so maybe the solution would be that TOR also check if nscd is running and
on information level notices user that this might happen
howto reproduce it: enable nscd (if not enabled) and from terminal with
root'
s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see
periodically that your "tor browsed" sites leaks via DNS requests to your
"normal" DNS
I hope that this information will be useful for somebody
whitanne_
nettezzz: is this for the latest version of tor?
nettezzz
it's for all versions of tor
whitanne_: probably a lot of linux users are not affected, but at least
some major distros have enabled nscd by default - at least we in opensuse
also in nscd manpage is not this "feature" documented
Joost
nettezzz: it appears people have noticed this in the past:
https://tor.stackexchange.com/questions/4350/tor-dns-cached
nettezzz
indeed
so I re-inveneted wheel :)
Joost: I didn't find it even according to the tor ... I was seting up
somewhere some SOCKS proxy and found it ... later on reproduced it with
tor browser
Joost
it's mentioned in some places, I see now..
https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin
nettezzz
indeed sorry for alarming ppl then ... I thought I've discovered an
americas
Joost
but imo it's odd, since it seems like quite a leak
nettezzz: don't be sorry! it appears that there is very little awareness
of this
nettezzz
but anyhow, it happens still these days whilst the solution is probably
rather simple 1) put this explicitely as a mention somewhere to tor
browser, 2) adding a check tfor nscd to tor browser verification checks
whitanne_
nettezzz: maybe you could file a bug report or something
nettezzz
to be honest, I don't use tor and I don't even have a account to tor
bugzilla ... so please fill bug for tor and I'm going to fill bug to our
opensuse bugzilla that this is undocumented and probably insecure to have
it by default enabled
I simply reproduced this with latest tor browser because it was obvious
that any other SOCKS proxy solution forwarding dns queries via proxy will
be affected
--
Comment (by teor):
Split each part of the conversation by newlines for readability
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16813#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list