API tools faq
paste
Advertisement
e26c7572

TOR BUNDLE IP EXPOSURE VULNERABILITY [PATCHED]

e26c7572
Jun 30th, 2012
1,420
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.46 KB | None | 0 0
raw download clone embed print report
  1. UPDATE: This vulnerability has been patched. Thanks to Kabraxis and DeadlockInc for the correction. https://blog.torproject.org/blog/new-tor-browser-bundles-security-release
  2.  
  3. HOWTO: Exploit Tor Browser Bundle to Find True IP Address of Tor User
  4.  
  5. Author’s Note: TOR is not vulnerable. This exploit is possible because of a flaw in the current version of Firefox, not any feature of the onion router. The exploit can be fixed in only a few seconds with a few clicks in Firefox. The default setup of the Tor Bundle, as configured when downloaded from htttp://www.torproject.com is affected.
  6.  
  7. BACKGROUND
  8.  
  9. TOR is an onion router used to obfuscate the point of origin of a network connection, as well as bypass any filtering obstacles that may block access to an Internet resource. It is a valuable tool for keeping the Internet open and free, even in countries that aggressively restrict and monitor Internet activity.
  10.  
  11. TOR Project hosts and distributes an easy to use, click-and-run bundle which includes the TOR client and a pre-configured Firefox browser. This allows even those without technical savvy to surf anonymously and without restriction.
  12.  
  13. In some oppressive environments, total anonymity is required for the continued safety and freedom of users who connect to restricted Internet content. Posting or even reading content deemed inappropriate can result in incarceration. For those who struggle against tyranny, censorship and suppression of free speech, TOR provides a secure, simple and reliable means of accessibility.
  14.  
  15. TOR can tunnel Internet-bound activity into a locally-running SOCKS5 proxy. Applications like browsers, mail clients, IRC clients and chat programs can usually be configured to send their packets to the SOCKS5 proxy, instead of directly to their end destinations. The proxy acts as a middle man between these programs and Internet.
  16.  
  17.  
  18. TOR’s SOCKS5 proxy forwards all packets it receives to the TOR network. Within this network, the user’s traffic is secure, and cannot be traced back to its point of origin.
  19.  
  20. The programs should forward all traffic to the SOCKS5 Proxy. There is a flaw in the current version of Firefox which is distributed in the Tor Bundle. All packets except websocket DNS queries are proxied. This means a packet from the user’s computer, with its real IP address, is sent directly to the DNS server.
  21.  
  22. THE VULNERABILITY
  23.  
  24. Firefox does use the socks proxy for most DNS queries. Nothing is leaked when resolving standard web pages and other Internet resources. An attacker that wants to expose the true IP of a Tor Bundle user needs only entice the user to resolve the name of websocket host.
  25.  
  26. The attacker will not see the DNS query sent by the client. However, if the attacker owns the authoritative DNS server, he can record the DNS query details.
  27.  
  28. THE SETUP
  29.  
  30. An attacker needs considerable resources to exploit this vulnerability. First, the attacker requires ownership of an Internet-resolvable DNS namespace. (In other words, he needs to register a domain name.) He will need full authority over the DNS records, including the ability to delegate namespace and create NS records. Finally, he will also need one (or two, if he wants to be Internet-standards compliant, but that’s probably not a big priority) Internet-connected DNS server, for which he has full administrative control.
  31.  
  32. With these resources properly configured, the attacker can create a link that entices a victim to leak IP information. While the technique is not platform dependent, for either the client or the server, this article will illustrate the setup and detail the mechanics of the exploit using Windows Server 2008 R2.
  33.  
  34. SETUP FROM DOMAIN REGISTRAR
  35.  
  36. After registering an Internet domain, the owner can configure the IP addresses of the authoritative DNS servers for the zone. Internet standards require that each registered domain have at least two Internet-connected authoritative DNS servers.
  37.  
  38. You do not need to host the entire DNS zone on your own server to fully exploit this vulnerability. You will only need to delegate a subdomain. A delegation directs a DNS server to forward requests for a specific subdomain to a different DNS server. The delegating DNS server does not resolve hosts records in the delegated namespace.
  39.  
  40. If an attacker has registered the domain MYDOMAIN.COM, the authoritative DNS servers are responsible for resolving every DNS name that ends with MYDOMAIN.COM. This includes names such as WWW.MYDOMAIN.COM, SUCK.MY.BIG.MYDOMAIN.COM, THIEVES.CO.PWNS.MYDOMAIN.COM, and so on. For the purpose of this article, the attacker is going to use a subdomain for exposing Tor Browser users. The selected domain for exploitation in this article will be the GOTCHA.MYDOMAIN.COM.
  41.  
  42. There are many domain registrars, some which give very little control over DNS zones. Most domain owners have made their web hosts’ DNS servers authoritative. There are thousands of those, ranging from hosting powerhouses to boxes in dudes’ garages. Every host has a different front end, and a different process for managing DNS records. Some companies offer a web front end with full management available. Some require you to submit a ticket or email with the changes you require. Still others will abruptly tell you to GFYS if you request DNS changes. Because of the wide range, a comprehensive walkthrough is unfeasible. If a reader has made it this far into the article without losing interest, he can probably work out the details from his registrar’s or host’s FAQ to figure out the process.
  43.  
  44. SETUP OF THE AUTHORITATIVE DNS SERVER
  45.  
  46. By pointing the delegation to your own DNS server, an attacker will redirect the leaked packet from the victim’s computer to his own DNS server. That means, the victim’s click will prompt him to connect from his real IP address to a service in your network.
  47.  
  48. The attacker has many opportunities to dress up this exploit, such as adding records for this zone to point the victim to webpages with text that taunts the user, such as “d0x’d by THEIVES.CO! Your real IP is:”, redirections to other URL’s, etc. The article will focus on the exploitation itself.
  49.  
  50. WINDOWS SERVER 2008 R2 WALKTHRU
  51.  
  52. - In the DNS Manager console, create a new Forward Lookup Zone for the subdomain
  53. - Turn on Debug Logging in the DNS Console
  54. o Right-click <ServerName>, select Properties
  55. o Click Debug Logging tab
  56. o Check the following boxes in the dialogue box:
  57. § Log packets for debugging
  58. § Packet Direction: Incoming
  59. § Transport Protocol: UDP
  60. § Packet Contents: Queries/Transfers
  61. § Packet Type: Request
  62. o Fill in a File path and name: such as C:\exposed.txt
  63. o Click OK
  64.  
  65. The trap is set.
  66.  
  67. BAIT THE TRAP
  68.  
  69. Firefox almost always uses the local TOR SOCKS5 proxy for name resolution. The exception is for a special kind of web service called a websocket. To create a websocket link, do the following:
  70.  
  71. Instead of creating a link with an HTTP:// prefix, create it with WS://
  72.  
  73. In the example, the trap subdomain was GOTCHA.MYDOMAIN.COM. If the attacker is trying to expose an IRC user named Anon1337, he can send the victim a hyperlink to WS://anon1337.gotcha.mydomain.com
  74.  
  75. Simply sending a link to gotcha.mydomain.com will log the victim’s IP. By creating a custom link for this user, the attacker can quickly find and distinguish that user’s query from any others. There doesn’t need to be a record in DNS. Even if the victim just gets an error stating that the name doesn’t exist, the attacker already has his information.
  76.  
  77. THE EVIDENCE
  78.  
  79. Here is what the attacker will find in the DNS debugging log. To find it quickly, the attacker can simply search for “anon1337”:
  80.  
  81. 6/28/2012 11:16:50 AM 0D0C PACKET 000000000192B900 UDP Rcv 93.95.224.238 ac1a Q [0001 D NOERROR] SRV (8)anon1337(6)gotcha(8)mydomain(3)com(0)
  82.  
  83. The attacker can see the unprotected IP Address in the log entry. That’s the victim’s real IP Address.
  84.  
  85. DEFENDING AGAINST IP EXPOSURE WHEN USING TOR BUNDLE
  86.  
  87. This exploit is the result of default configuration. It is easy to fix, in only a few seconds. Credit for the workaround goes to the TOR Project. The fix was published in the following security advisory: http://threatpost.com/en_us/blogs/tor-warns-firefox-bug-threatens-user-privacy-050312
  88.  
  89. VERSION 1.2
  90. Rich Text formatting removed for plain text "Pastebin" Edition. Removed call for author for Linux walkthru.
  91.  
  92. VERSION 1.1
  93. Updated to Link to Patch for this Vulnerability. Line spacing and spelling corrections.
  94.  
  95. VERSION 1.0
  96. First publication on the Thieves.co Forum
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!