How Tor Browser passed the strength test: security audit results

[Carding 4 Carders]

Detailed analysis: what vulnerabilities were found in Tor?

The developers of the popular tool for anonymous Internet surfing, Tor Browser, have released the results of an extensive security audit. The audit covered the main projects: Tor Browser, OONI Probe, rdsys, BridgeDB and Conjure. Experts from Cure53 conducted the audit from November 2022 to April 2023.

The audit revealed 9 vulnerabilities. Of these, two were of a critical nature, one vulnerability is considered to be of medium danger, while the remaining 6 were classified as insignificant. In addition, 10 technical flaws were found that were not directly related to security issues. However, the Tor code was found to meet the standards for secure programming.

Major vulnerabilities:

1. First dangerous vulnerability in rdsys: The vulnerability was discovered in the rdsys backend, which is used to deliver various resources to users, including proxy lists and download links. The problem was that there was no authentication when accessing the registration resource handler. This allowed the attacker to register their malicious resource and provide it to users. The vulnerability could be exploited by sending an HTTP request to the rdsys handler.
2. The second dangerous vulnerability in Tor Browser: The problem was related to the lack of digital signature verification when loading the list of bridges via rdsys and BridgeDB. Since this list is loaded before connecting to the anonymous Tor network, it is possible to substitute the contents of the list for attackers, for example, by intercepting the connection. This could lead to users connecting through compromised bridge nodes controlled by an attacker.
3. Moderate vulnerability in rdsys: The vulnerability was detected in the rdsys subsystem in the build deployment script. It allowed an attacker to increase their privileges from the level of the nobody user to the rdsys user, if they had access to the server and could write to a directory with temporary files. Exploiting the vulnerability is limited to replacing the executable file placed in the /tmp directory. Obtaining rdsys user rights allows an attacker to make changes to executable files launched via rdsys.
4. Low-risk vulnerabilities: Most of them were associated with the use of outdated libraries containing known vulnerabilities, or with the possibility of committing a denial of service. In Tor Browser, for example, it was possible to bypass the prohibition of JavaScript execution when setting the highest level of protection, there were no restrictions on downloading files, and a potential information leak through the user's home page, which allows you to track users between restarts.

At the moment, all vulnerabilities have been fixed. In addition, additional security measures have been implemented, including authentication for all rdsys components and verification of digital signatures when uploading lists to the Tor Browser.

In addition to fixing vulnerabilities, a new version of Tor Browser 13.0.1 has been released, based on Firefox 115.4.0 ESR, which fixes 19 vulnerabilities . The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch.

 

[Carding 4 Carders]

Audit results of Tor Browser and Tor infrastructure components

Developers of the anonymous Tor network have published the results of an audit of the Tor Browser and the OONI Probe, rdsys, BridgeDB, and Conjure tools developed by the project, which are used for anonymous network connections that are protected from eavesdropping and traffic analysis mechanisms. The audit was conducted by Cure53 from November 2022 to April 2023.

During the audit, 9 vulnerabilities were identified, two of which were classified as dangerous, one was assigned an average level of danger, and 6 were assigned to problems with a minor level of danger. Also, 10 issues were found in the code base that were classified as non-security flaws. In general, the code of the Tor project is marked as corresponding to the practices of secure programming.

The first dangerous vulnerability was present in the backend of the distributed rdsys system, which provides resources such as proxy lists and download links to censored users. The vulnerability was caused by a lack of authentication when accessing the resource registration handler and allowed the attacker to register their own malicious resource for delivery to users. Operation is reduced to sending an HTTP request to the rdsys handler.

The second dangerous vulnerability was found in Tor Browser and was caused by the lack of digital signature verification when receiving a list of bridge nodes via rdsys and BridgeDB. Since the list is loaded into the browser at the stage before connecting to the anonymous Tor network, the lack of verification by cryptographic digital signature allowed the attacker to substitute the contents of the list, for example, by intercepting the connection or hacking the server through which the list is distributed. In the event of a successful attack, an attacker could arrange for users to connect via their own compromised bridge node.

A medium-risk vulnerability was present in the rdsys subsystem in the build deployment script and allowed an attacker to raise their privileges from the nobody user to the rdsys user, if they had access to the server and could write to a directory with temporary files. Exploiting the vulnerability is limited to replacing the executable file placed in the /tmp directory. Obtaining rdsys user rights allows an attacker to make changes to executable files launched via rdsys.

Low-risk vulnerabilities were mainly associated with the use of outdated dependencies that contained known vulnerabilities, or with the possibility of committing a denial of service. Minor vulnerabilities in Tor Browser include the ability to bypass the JavaScript execution ban when setting the highest level of protection, the lack of restrictions on downloading files, and a potential information leak through the user's home page, which allows you to track users between restarts.

Currently, all vulnerabilities have been fixed, among other things, authentication for all rdsys handlers has been implemented and verification of lists uploaded to Tor Browser by digital signature has been added.

Additionally, you can note the release of Tor Browser 13.0.1. The release is synchronized with the Firefox 115.4.0 ESR codebase, which fixes 19 vulnerabilities (13 are considered dangerous). The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch.