[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Olivier Cornu o.cornu at riseup.net
Tue Jan 21 14:45:19 UTC 2014


Le 21/01/2014 13:18, Max Jakob Maass a écrit :
> Tor actually rejected my attempted XMLHttpRequest to a non-loopback
> address (Log-Message stating that the SocksProxy did not allow local
> connections). But then again, it also did not successfully receive
> data from localhost:80 (nc showed something, but the testing site gave
> an error message when trying to connect to my apache2 on port 80). Did
> it behave differently for you?

You're right: TBB only leaks on "127.0.0.1" when tested from a local
HTML file. "localhost" as well as other non-loopback IP addresses are
rejected by the SOCKS proxy:
    [warn] Rejecting SOCKS request for anonymous connection to private
    address [scrubbed]
On Linux, stock FF and Chromium (w/o proxy) do connect to all the above.

So, TBB's supposed bug becomes: TBB is leaking non-Tor traffic to 127.0.0.1.
I believe this breaks TBB's required proxy obedience
[https://www.torproject.org/projects/torbrowser/design/#security]


The testing site is enough to show the vulnerability, but it does not
try to perform advanced fingerprinting:
* XHR to a local web server will get stopped by CORS policies and appear
as a "closed port".
* Timeouts are interpreted as a "closed ports" too (although it may show
return statuses): in some cases (like the netcat test) it times out
because server is waiting for more input than the HTTP GET request it's
given before closing the TCP connection; In other cases it may timeout
because the port is open but filtered.

Also, it'd be nice if http://tortestprivacy.url.ph/ would allow tweaking
the full URL (rather than just port number) for public testing purposes.
Could you perhaps help with that, TT Security? :)

--
Olivier Cornu


More information about the tor-talk mailing list