Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
How Tor Browser passed the strength test: security audit results
Message
<blockquote data-quote="Plotu" data-source="post: 458" data-attributes="member: 5"><p><strong>Audit results of Tor Browser and Tor infrastructure components</strong></p><p></p><p>Developers of the anonymous Tor network have published the results of an audit of the Tor Browser and the OONI Probe, rdsys, BridgeDB, and Conjure tools developed by the project, which are used for anonymous network connections that are protected from eavesdropping and traffic analysis mechanisms. The audit was conducted by Cure53 from November 2022 to April 2023.</p><p></p><p>During the audit, 9 vulnerabilities were identified, two of which were classified as dangerous, one was assigned an average level of danger, and 6 were assigned to problems with a minor level of danger. Also, 10 issues were found in the code base that were classified as non-security flaws. In general, the code of the Tor project is marked as corresponding to the practices of secure programming.</p><p></p><p>The first dangerous vulnerability was present in the backend of the distributed rdsys system, which provides resources such as proxy lists and download links to censored users. The vulnerability was caused by a lack of authentication when accessing the resource registration handler and allowed the attacker to register their own malicious resource for delivery to users. Operation is reduced to sending an HTTP request to the rdsys handler.</p><p></p><p><img src="https://ver.ae/imagehosting/2023/10/27/10f73e4180.png" alt="10f73e4180.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>The second dangerous vulnerability was found in Tor Browser and was caused by the lack of digital signature verification when receiving a list of bridge nodes via rdsys and BridgeDB. Since the list is loaded into the browser at the stage before connecting to the anonymous Tor network, the lack of verification by cryptographic digital signature allowed the attacker to substitute the contents of the list, for example, by intercepting the connection or hacking the server through which the list is distributed. In the event of a successful attack, an attacker could arrange for users to connect via their own compromised bridge node.</p><p></p><p>A medium-risk vulnerability was present in the rdsys subsystem in the build deployment script and allowed an attacker to raise their privileges from the nobody user to the rdsys user, if they had access to the server and could write to a directory with temporary files. Exploiting the vulnerability is limited to replacing the executable file placed in the /tmp directory. Obtaining rdsys user rights allows an attacker to make changes to executable files launched via rdsys.</p><p></p><p>Low-risk vulnerabilities were mainly associated with the use of outdated dependencies that contained known vulnerabilities, or with the possibility of committing a denial of service. Minor vulnerabilities in Tor Browser include the ability to bypass the JavaScript execution ban when setting the highest level of protection, the lack of restrictions on downloading files, and a potential information leak through the user's home page, which allows you to track users between restarts.</p><p></p><p>Currently, all vulnerabilities have been fixed, among other things, authentication for all rdsys handlers has been implemented and verification of lists uploaded to Tor Browser by digital signature has been added.</p><p></p><p>Additionally, you can note the release of Tor Browser 13.0.1. The release is synchronized with the Firefox 115.4.0 ESR codebase, which fixes 19 vulnerabilities (13 are considered dangerous). The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch.</p></blockquote><p></p>
[QUOTE="Plotu, post: 458, member: 5"] [B]Audit results of Tor Browser and Tor infrastructure components[/B] Developers of the anonymous Tor network have published the results of an audit of the Tor Browser and the OONI Probe, rdsys, BridgeDB, and Conjure tools developed by the project, which are used for anonymous network connections that are protected from eavesdropping and traffic analysis mechanisms. The audit was conducted by Cure53 from November 2022 to April 2023. During the audit, 9 vulnerabilities were identified, two of which were classified as dangerous, one was assigned an average level of danger, and 6 were assigned to problems with a minor level of danger. Also, 10 issues were found in the code base that were classified as non-security flaws. In general, the code of the Tor project is marked as corresponding to the practices of secure programming. The first dangerous vulnerability was present in the backend of the distributed rdsys system, which provides resources such as proxy lists and download links to censored users. The vulnerability was caused by a lack of authentication when accessing the resource registration handler and allowed the attacker to register their own malicious resource for delivery to users. Operation is reduced to sending an HTTP request to the rdsys handler. [IMG alt="10f73e4180.png"]https://ver.ae/imagehosting/2023/10/27/10f73e4180.png[/IMG] The second dangerous vulnerability was found in Tor Browser and was caused by the lack of digital signature verification when receiving a list of bridge nodes via rdsys and BridgeDB. Since the list is loaded into the browser at the stage before connecting to the anonymous Tor network, the lack of verification by cryptographic digital signature allowed the attacker to substitute the contents of the list, for example, by intercepting the connection or hacking the server through which the list is distributed. In the event of a successful attack, an attacker could arrange for users to connect via their own compromised bridge node. A medium-risk vulnerability was present in the rdsys subsystem in the build deployment script and allowed an attacker to raise their privileges from the nobody user to the rdsys user, if they had access to the server and could write to a directory with temporary files. Exploiting the vulnerability is limited to replacing the executable file placed in the /tmp directory. Obtaining rdsys user rights allows an attacker to make changes to executable files launched via rdsys. Low-risk vulnerabilities were mainly associated with the use of outdated dependencies that contained known vulnerabilities, or with the possibility of committing a denial of service. Minor vulnerabilities in Tor Browser include the ability to bypass the JavaScript execution ban when setting the highest level of protection, the lack of restrictions on downloading files, and a potential information leak through the user's home page, which allows you to track users between restarts. Currently, all vulnerabilities have been fixed, among other things, authentication for all rdsys handlers has been implemented and verification of lists uploaded to Tor Browser by digital signature has been added. Additionally, you can note the release of Tor Browser 13.0.1. The release is synchronized with the Firefox 115.4.0 ESR codebase, which fixes 19 vulnerabilities (13 are considered dangerous). The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
How Tor Browser passed the strength test: security audit results
Top