[tor-relays] Network scan results for CVE-2016-5696 / RFC5961
niftybunny
abuse at to-surf-and-protect.net
Fri Dec 9 06:04:35 UTC 2016
4 server rebooted, thank you very much.
markus
> On 9 Dec 2016, at 06:31, Ivan Markin <twim at riseup.net> wrote:
>
> Hi tor-relays@,
>
> Getting back with more results on this.
> I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor
> network several times [2].
> First results I've got using technique similar to David's (sending 500
> RSTs in one burst), second ones are got via another method (send 111
> RSTs in burst and then 111 RSTs 1 second later*).
>
> Current statistics:
> 32% of Linux relays are vulnerable. That is 23% of Tor network.
>
> --
>
> Now some magic! Those 3 NetBSD relays from before still behave like they
> are vulnerable Linuxes (as they did in David's scanner, and two of mine):
>
> $ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable
> 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on
> NetBSD,200,1.847787ms,1.834238ms,vulnerable
> 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor
> 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable
> 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9
> on NetBSD,200,3.936046ms,3.777501ms,vulnerable
>
> Yes, nmap -O reports them to be NetBSD hosts.
>
> Actually I don't know what's going on here. Thoughts:
> * relays are behind vulnerable Linux middleboxes
> * RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
> * ???
>
> Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0
> challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was
> 'kinda' vulnerable (some small random amount of ChACKs). Probably I did
> something wrong here.
> I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
>
> I've lurked through NetBSD's src code and found some bits of RFC5961.
> But I was unable to see anything offensive.
>
> If someone have some insight on this dark magic, that would be awesome!
>
> ---
>
> Thanks for bringing up the diversity issue in light of this CVE, Alex!
> Just to make everyone feel sad today:
>
> $ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l
> 6435
> $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l
> 550
>
> Sadly, Linuxes are typical ~2σ of the network. ;(
> Please run more different (e.g. BSD) relays!
>
> [*] I think it should be more accurate.
> [1] https://github.com/nogoegst/grill
> [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
>
> --
> Happy life without suffering,
> Ivan Markin
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list