[tor-bugs] #13256 [Torsocks]: torsocks 1.3 possibly leaks username
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 26 13:10:28 UTC 2014
#13256: torsocks 1.3 possibly leaks username
----------------------+-------------------------
Reporter: p4blog | Owner: dgoulet
Type: defect | Status: new
Priority: major | Milestone:
Component: Torsocks | Version:
Keywords: leak | Actual Points:
Parent ID: | Points:
----------------------+-------------------------
Hi!
Disclaimer:
Not sure if I should have opened this bug report since it's for an old
version and torsocks is now on 2.0, but 1.3 is the current version of
torsocks in the Ubuntu 14.04 (LTS) repositories, which means it will still
be so for some time.
Recently while playing with torsocks, wget and wireshark, I discovered
something that looks like the name of the user running torsocks is leaked
somehow. It's reproducible always that https is not used and torsocks is
configured to use SOCKS4 (SOCKS5 unaffected). Please see the attached a
screenshot for easier explanation.
Thankfully, these bytes won't leave the loopback interface hardly ever
thanks to the default configuration of Tor, but in some configurations it
could be considered dangerous. Furthermore, doc/socks/socks-extensions.txt
says that usernames are ignored in SOCKS4 and SOCKS4A. Isn't it better to
send random characters then instead of the user running it?
I haven't had a deep look at the torsocks code but I think these calls are
the key :
src/socks.c: user = getpwuid(getuid());
These calls seem that were there since the beginning of the project but
are not anymore in the latest version.
If you considered this is a bug, we should notify distributions. Otherwise
if this behaviour is expected, just close this report ;)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13256>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list