[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Olivier Cornu
o.cornu at riseup.net
Tue Jan 21 14:45:19 UTC 2014
Le 21/01/2014 13:18, Max Jakob Maass a écrit :
> Tor actually rejected my attempted XMLHttpRequest to a non-loopback
> address (Log-Message stating that the SocksProxy did not allow local
> connections). But then again, it also did not successfully receive
> data from localhost:80 (nc showed something, but the testing site gave
> an error message when trying to connect to my apache2 on port 80). Did
> it behave differently for you?
You're right: TBB only leaks on "127.0.0.1" when tested from a local
HTML file. "localhost" as well as other non-loopback IP addresses are
rejected by the SOCKS proxy:
[warn] Rejecting SOCKS request for anonymous connection to private
address [scrubbed]
On Linux, stock FF and Chromium (w/o proxy) do connect to all the above.
So, TBB's supposed bug becomes: TBB is leaking non-Tor traffic to 127.0.0.1.
I believe this breaks TBB's required proxy obedience
[https://www.torproject.org/projects/torbrowser/design/#security]
The testing site is enough to show the vulnerability, but it does not
try to perform advanced fingerprinting:
* XHR to a local web server will get stopped by CORS policies and appear
as a "closed port".
* Timeouts are interpreted as a "closed ports" too (although it may show
return statuses): in some cases (like the netcat test) it times out
because server is waiting for more input than the HTTP GET request it's
given before closing the TCP connection; In other cases it may timeout
because the port is open but filtered.
Also, it'd be nice if http://tortestprivacy.url.ph/ would allow tweaking
the full URL (rather than just port number) for public testing purposes.
Could you perhaps help with that, TT Security? :)
--
Olivier Cornu
More information about the tor-talk
mailing list