[tor-bugs] #8976 [Tor]: rend_service_introduce() doesn't notice if the rendezvous point is on 127.0.0.1
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 29 22:39:06 UTC 2016
#8976: rend_service_introduce() doesn't notice if the rendezvous point is on
127.0.0.1
---------------------------------+------------------------------------
Reporter: arma | Owner: teor
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.3.21-rc
Severity: Normal | Resolution:
Keywords: tor-hs 027-backport | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: SponsorR-must
---------------------------------+------------------------------------
Comment (by teor):
Replying to [comment:23 andrea]:
> Hmmm - seems hard to imagine what conceivable attack could use such a
rendezvous address, since if it did go as far as trying to build a circuit
to one, it would be from some relay picked by the HS Tor and not under
attacker control, and not from the HS Tor's location. Is there a
differential behavior in that case depending on whether the address is
reachable, though?
Whatever the address, the HS will build a 3 relay path to it.
Then, if it's an internal address, the HS refuses to send an extend cell.
If it's publicly routable, the HS sends an extend cell and connects as
normal.
(After this patch, if it's an internal address, the HS refuses to build a
path.)
> I was leaning toward don't-backport on this one since there didn't seem
to be any plausible exploitability; do you really think there might be
something going on, teor?
I can't imagine how this behaviour is exploitable, but it does allow an
attacker to make the HS build lots of circuits through its guard, which
are then terminated in a predictable manner by the HS.
It could simply be a bug in some tor clients.
I could go either way with a backport, I suggested one because I'd rather
be safe than sorry.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8976#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list