User Controls
tor audit found tor can be exploited
-
2024-02-01 at 5:09 PM UTC
-
2024-02-01 at 5:22 PM UTCthis site uses the django web interface
Bridges are unlisted relays that can be helpful to users under oppressive regimes as they are more difficult to block.
“Attackers can lure Directory Authorities victims to their site and perform a successful CSRF attack as soon as the victim’s browser runs in the same network as Onbasca. This is the case when the victim uses the Django web interface. As a result, pre-authenticated attackers can inject attacker-controlled IPs into the database,” Radically Open Security explained in its report.
Advertisement. Scroll to continue reading.
It added, “When the bridgescan command is invoked, which runs regularly, the Onbasca application will connect to the attacker-controlled bridge. By doing this, attackers may be able to daemonize the hosted instance of Onbasca or carry out further attacks.”
The latest security audit comes after penetration testing firm Cure53 conducted a security assessment focusing on identifying vulnerabilities introduced by user interface changes and an audit related to censorship circumvention. -
2024-02-01 at 5:30 PM UTChttps://blog.torproject.org/code-audit-tor-ecosystem-components/The%20Tor%20Project%20Pentest%20Report%202023%201.0
nothing too major, none affect hidden services
the one they cite as being the most critical is with onbasca, not tor itself, which is a viable exploit that could allow you to inject bridges and endpoints into its database but it's too convoluted to be a major risk. if you wanted to exploit this you'd need:
1. valid credentials for the onbasca service
2. someone to actually be browsing the internet from the onbasca machine
3. to convince them to click a link with the credentials encoded in it, ie "http://127.0.0.1:8000/bridge-state/?
bridge_lines=obfs4+0.0.0.0%3A00000+AAA+cert%3D0+iat-mode%3D0" from the doc
for tor itself there are a few memory leaks or possibilities for forced shutdown if you have shell access to the target machine
a couple of bad or outdated dependencies on some platforms
I'd consider the forced https to http downgrade attacks to be more serious IF you can run them on an exit node, looks like it's possible with at least one of them