[tor-bugs] #1859 [Tor Client]: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and client
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Aug 24 15:10:19 UTC 2010
#1859: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and
client
------------------------+---------------------------------------------------
Reporter: mwenge | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone:
Component: Tor Client | Version: Tor: 0.2.2.12-alpha
Keywords: | Parent:
------------------------+---------------------------------------------------
Comment(by tractor):
Routerinfo_t returned by router_get_by_nickname() while it's not a part of
routerlist have been just a bug on the fact.
For an attack will use the conditions under which this pseudo-element list
is returned
at:
{{{
if (server_mode(get_options()) &&
!strcasecmp(nickname, get_options()->Nickname))
return router_get_my_routerinfo();
}}}
combining a role of client and an exit relay allows an attacker to
identify a relay that victim used as OP.
The most simple scenario of such a case includes:
relay (0.2.1.x or 0.2.2.x with allowed dotexit) used as a client,
nickname of relay selected as (conflicts) that the auths assigns the
Unnamed flag to it.
Such client will be the only one who can use own exit relay with Unnamed
flag.
We can assume that the scenario is unlike in wild: does not affect clients
in general and a small part of relay only which are probably no one will
be used simultaneously with the OP. This is true.
But the mistake does not cease to be a mistake, an extreme edge case of
very near to those who are could be with non zero chance susceptible to
such attacks or to any a new bugs as a result of such behavior.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1859#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list