[tor-relays] network scan results for CVE-2016-5696 / rfc 5961

dawuud dawuud at riseup.net
Thu Nov 17 21:22:47 UTC 2016


Hi all,

I'm sorry that there are some false positives.
I did previously test against a FreeBSD tor relay and presumed NetBSD
would have a similar result.

Thanks for looking closely at this Ivan.
It sounds like the scanner needs to be fixed.
I'll try to test with a netbsd host soon.


Cheers!

David


On Thu, Nov 17, 2016 at 07:46:00PM +0000, Ivan Markin wrote:
> Hi David,
> 
> Thanks for your work!
> 
> dawuud:
> > I added the scan output to the repo, this includes the output csv file
> > and a list of vulnerable relays:
> > 
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> 
> FYI, I produced results with platform strings and fingerprints based on
> this data [1].
> 
> It's pretty interesting that there are not only Linux relays are
> 'vulnerable' (90 < ChACKs < 220) in David's scan:
> % cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
> grep Tor
> 
> Tor 0.2.8.9 on
> NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
> Tor 0.2.5.10 on
> NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
> Tor 0.2.8.9 on
> NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
> Tor 0.2.7.6 on
> FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
> Tor 0.2.8.9 on
> FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
> Tor 0.2.7.6 on
> NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
> 
> After I've rescanned these relays myself for several times, FreeBSD ones
> stopped being 'vulnereable' while NetBSD ones somehow still reproduce
> 'vulnerable' Linux status.
> 
> I don't know why does this happen, maybe someone can scan these relays
> (or maybe all NetBSD ones due to TCP stack specifics) themselves and get
> different results. Anyway these are just curious false positives.
> 
> [1]
> https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv
> 
> --
> Ivan Markin
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161117/0f8bacfd/attachment-0001.sig>


More information about the tor-relays mailing list