[tor-relays] Network scan results for CVE-2016-5696 / RFC5961
Ivan Markin
twim at riseup.net
Fri Dec 9 05:31:00 UTC 2016
Hi tor-relays@,
Getting back with more results on this.
I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor
network several times [2].
First results I've got using technique similar to David's (sending 500
RSTs in one burst), second ones are got via another method (send 111
RSTs in burst and then 111 RSTs 1 second later*).
Current statistics:
32% of Linux relays are vulnerable. That is 23% of Tor network.
--
Now some magic! Those 3 NetBSD relays from before still behave like they
are vulnerable Linuxes (as they did in David's scanner, and two of mine):
$ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable
78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on
NetBSD,200,1.847787ms,1.834238ms,vulnerable
86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor
0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable
139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9
on NetBSD,200,3.936046ms,3.777501ms,vulnerable
Yes, nmap -O reports them to be NetBSD hosts.
Actually I don't know what's going on here. Thoughts:
* relays are behind vulnerable Linux middleboxes
* RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
* ???
Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0
challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was
'kinda' vulnerable (some small random amount of ChACKs). Probably I did
something wrong here.
I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
I've lurked through NetBSD's src code and found some bits of RFC5961.
But I was unable to see anything offensive.
If someone have some insight on this dark magic, that would be awesome!
---
Thanks for bringing up the diversity issue in light of this CVE, Alex!
Just to make everyone feel sad today:
$ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l
6435
$ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l
550
Sadly, Linuxes are typical ~2σ of the network. ;(
Please run more different (e.g. BSD) relays!
[*] I think it should be more accurate.
[1] https://github.com/nogoegst/grill
[2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
--
Happy life without suffering,
Ivan Markin
More information about the tor-relays
mailing list