[tor-talk] Hidden service security w. Apache/Win32
Fred Toben
redguy at tormail.net
Sun Feb 19 18:13:22 UTC 2012
proper at tormail.net wrote:
>> So far I haven't found any public info about the possible downsides of
> running a hidden service under Windows.
>
> Let's assume a fresh, clean windows installation. Have you found a list
> and description of all outgoing network connections, that will be made by
> that windows installation? I haven't found any documentation. Information
> is spread all over the web. So far I discovered Windows Update, WGA and
> time sync.
>
> I am collecting all that information including source. [1]
>
> There are still open questions. Is the time sync authenticated or can it
> be spoofed by the Tor exit? How safe is it, to rely on Microsoft time sync
> servers? (just one server, single point of failure)
There should be no Tor exit, if you mean exit node.
Is the time sync spoofing even applicable to hidden services?
What I am concerned about is the security of the OS under which Apache is
running.
I have so far identified the following possibilities:
1. Exposing the date and time of the webserver.
I haven't managed to disable this info.
Telnet (VM1) on port internalport and sending the command
OPTIONS / HTTP/1.0
returns the date, time and timezone and the Apache server string.
But the Tor running on VM2 doesn't as far I know care about what date,
time or timezone the HTTP server running on VM 1 returns to the user
agent.
If I really wanted, I could script a reset of the date, time and timezone
on VM 1 to a random value at each startup.
2. Exposing the currently running username, computername or even product
ID of the Windows installation.
I can't see how it could happen.
I deliberately disable all Apache modules which could leak such info (no
PHPINFO) and even if Apache could somehow "break out" into the OS, access
to sensitive folders (systemroot, userprofile) and the registry is locked
by a group policy.
The VM 1 and VM 2 is on a different subnet from my physical router and
VMware host.
3. Antivirus, Windows Update and browser fingerprints.
VM 1 serving the Apache installation doesn't even have internet access,
and no other services (IRC, web browser are allowed).
VM 2 has internet access, but the only non-system process allowed to
connect to the internet is tor.exe.
The limited user account is not permitted to download or run new programs
or to terminate existing processes.
4. A yet unpublicized exploit allowing an unknown intruder to break out of
the virtual environment.
Some years ago, it was discovered that the folder sharing option in VMware
Workstation (?) might enable a breakout of the guest OS.
But what about other virtualization products like Virtualbox?
I share your concerns, but if there is a security issue with running a
hidden service in Windows, one solution is replacing the VM running Tor
with a linux distro.
How can the MS time server tampering with the exit nodes be applicable to
hidden services?
More information about the tor-talk
mailing list