Re: Warning to NoReply.org DEB Package Users
* on the Fri, Aug 10, 2007 at 04:12:21PM -0400, Ringo Kamens wrote: As you know, a major security vulnerability was just patched with the 0.1.2.16 release. I have been using the noreply.org deb packages but they didn't update to the newest version (at least not under amd64 feisty). If you are in my situation you can compile from source or disable your controlport and wait out the storm until a new version is released. Is the package maintainer busy or..? Comrade Ringo Kamens I've been using the noreply 0.1.2.16 release since it came out 9 days ago... [EMAIL PROTECTED]:~# grep noreply /etc/apt/sources.list deb http://mirror.noreply.org/pub/tor etch main deb-src http://mirror.noreply.org/pub/tor etch main [EMAIL PROTECTED]:~# dpkg -l|grep ' tor ' ii tor 0.1.2.16-1~~etch.1 anonymizing overlay network for TCP [EMAIL PROTECTED]:~# The amd64 Feisty version came out at the same time: http://mirror.noreply.org/pub/tor/pool/feisty/tor_0.1.2.16-1~feisty.1_amd64.deb Mike
Re: Warning to NoReply.org DEB Package Users
On Fri, 10 Aug 2007, coderman wrote: On 8/10/07, Ringo Kamens [EMAIL PROTECTED] wrote: I think what he is saying (which might be true) is that tor doesn't have the permissions to save the torcc. there are some configurations that don't allow saving the config. they are still vulnerable. if you use the standard debian config, you have nothing to fear - torrc not writeable - controlport not open and .. the maintainer claims, the versions online are updated since nearly 1.5 weeks are the fixes version. -- Florian Reitmeir
Re: Warning to NoReply.org DEB Package Users
On Fri, 10 Aug 2007, Kyle Williams wrote: This is not true. The affects of the bug are very sever, and it DOES NOT require the config to be saved! An attacker could still cause you to loose your anonymity. UPDATE, UPDATE, UPDATE. like i wrote before, you are only vunerable if you have the following conditions: - open control port - for the tor process writeable config file And the versions online are all up to date, so in doubt just upgrade. If you use an Tor GUI, i _really_ recommended to upgrade. -- Florian Reitmeir
Re: Warning to NoReply.org DEB Package Users
@Mike: Good to know. I'll just use the etch version for now since feisty isn't out. Comrade Ringo Kamens On 8/11/07, Florian Reitmeir [EMAIL PROTECTED] wrote: On Fri, 10 Aug 2007, Kyle Williams wrote: This is not true. The affects of the bug are very sever, and it DOES NOT require the config to be saved! An attacker could still cause you to loose your anonymity. UPDATE, UPDATE, UPDATE. like i wrote before, you are only vunerable if you have the following conditions: - open control port - for the tor process writeable config file And the versions online are all up to date, so in doubt just upgrade. If you use an Tor GUI, i _really_ recommended to upgrade. -- Florian Reitmeir
Question about the vulnerability
Hi, Forgive my ignorance, but when exactly does the Control Port come into play? Is a Tor user who simply uses Tor in client mode vulnerable? I've seen the Control Port info in the man pages but that doesn't really answer my question - can anyone advise? Thanks... -- Physical Therapy Certification Training - Save online. Click now. http://tagline.hushmail.com/fc/Ioyw6h4fRLWSIamOZfDYALKNND76wXfBEYQ0xxTKjuRkELVSOPJh3L/
Re: Question about the vulnerability
On Sat, Aug 11, 2007 at 02:21:31PM -0400, [EMAIL PROTECTED] wrote: Forgive my ignorance, but when exactly does the Control Port come into play? Is a Tor user who simply uses Tor in client mode vulnerable? I've seen the Control Port info in the man pages but that doesn't really answer my question - can anyone advise? Read http://archives.seul.org/or/talk/Aug-2007/msg00034.html for the answer. We do promise to explain it better once more people have had a chance to upgrade. :) Hope that helps, --Roger
ModSecurity v2 Apache rules for directory servers
On
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients
one of the suggested methods to get your Directory service on port 80 if Apache
is
in the way is to use mod_proxy.
Personally I think sticking tors directory service behind Apache so it's
not exposed to the wider Internet directly is a good thing anyway. The
shear scale of development, usage and history of Apache makes me
confident that it is less likely to contain security holes than tor,
(see recent exploit)
This is not a dig! I am writing this email to share some ModSecurity
(http://www.modsecurity.org/) rules that I have been developing and using
to severely restrict the requests that get forwarded onto the tor daemon by
mod_proxy. Someone may find them useful. Here are the relevant parts of
my Apache vhost:
Location /tor/
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRuleInheritanceOff
SecAuditLogRelevantStatus ^500$
SecDefaultAction log,auditlog,deny,phase:2,status:500,severity:'2'
SecRule HTTP_HOST!^\d{1,3}(?\.\d{1,3}){3}$ msg:'Host header must
be IP address'
SecRule REQUEST_PROTOCOL !^HTTP/1\.[01]$msg:'HTTP/1.0 or
HTTP/1.1 only'
SecRule REQUEST_METHOD !^GET$ msg:'We only allow
GETs here'
SecRule REQUEST_HEADERS:Content-Length !^0?$msg:'No request
message bodies allowed'
SecRule REQUEST_URI !^/tor/server/authority$
chain,msg:'Badly formed uri'
SecRule REQUEST_URI !^/tor/status/all$
chain
SecRule REQUEST_URI !^/tor/running-routers$
chain
SecRule REQUEST_URI !^/tor/dir\.z$
chain
SecRule REQUEST_URI
!^/tor/server/(?d|fp)/(?[A-F0-9]{40})(?\+[A-F0-9]{40})*\.z$ chain
SecRule REQUEST_URI !^/tor/status/fp/[A-F0-9]{40}(?\+[A-F0-9]{40})*\.z$
ProxyPass http://127.0.0.1:9030/tor/
/Location
I put another http service behind Apache earlier this year unrelated to
tor (I wont mention the name of the product). After it had been running
for a couple of months, we found a DOS that could be performed
accidently by doing a GET request in a certain way. Whilst waiting
for a bug fix, because I had the flexibility of Apache in front of it,
it was a synch to just stick a rewrite rule in place to prevent the
request taking place and the DOS happening.
P.S. The ProxyPassReverse entry in the faq seems redundant as the tor
directory http service doesn't appear to ever return a redirect response.
Mike
Re: Question about the vulnerability
Roger, thank you for your response - I did follow that thread when it came out and upgraded my systems. The question I have is not really about the vulnerability but more of a general operational one - in what situations is the control port actually used? If I am not running a Tor server but using Tor in client mode, does the Control Port get used? What is it used for? Thanks again for the great softwarelooking to do more with it soon. -Nd On Sat, 11 Aug 2007 14:33:22 -0400 Roger Dingledine [EMAIL PROTECTED] wrote: On Sat, Aug 11, 2007 at 02:21:31PM -0400, [EMAIL PROTECTED] wrote: Forgive my ignorance, but when exactly does the Control Port come into play? Is a Tor user who simply uses Tor in client mode vulnerable? I've seen the Control Port info in the man pages but that doesn't really answer my question - can anyone advise? Read http://archives.seul.org/or/talk/Aug-2007/msg00034.html for the answer. We do promise to explain it better once more people have had a chance to upgrade. :) Hope that helps, --Roger -- Physical Therapy Certification Training - Save online. Click now. http://tagline.hushmail.com/fc/Ioyw6h4fRLWWyWbFnuwkUswPqDGvlT8E7rn1b7OrcQLbFphpLlFGEx/
Re: Question about the vulnerability
On Sat, 2007-11-08 at 15:33 -0400, [EMAIL PROTECTED] wrote: Roger, thank you for your response - I did follow that thread when it came out and upgraded my systems. The question I have is not really about the vulnerability but more of a general operational one - in what situations is the control port actually used? If I am not running a Tor server but using Tor in client mode, does the Control Port get used? What is it used for? The control port is used to let you, another program, another computer, control/communicate with TOR. If you just install tor as a client and don't mess about with the config file the control port should be closed by default. if you install a tor/Vidalia bundle the control port will need to be open so Vidalia can control/communicate with TOR Same would go for if you were using TorK, if your TOR is on a net appliance and configured to be controlled/communicate with Vidalia/TorK/etc on another machine. Privoxy doesn't fall into this discussion as it just shuttles data through tor rather then communicating with TOR you can read more on the control port at: http://tor.eff.org/tor-manual.html.en and http://tor.eff.org/svn/trunk/doc/spec/control-spec.txt long story short... if you are using a GUI for tor the control port is most likely open. Freemor [EMAIL PROTECTED] Freemor [EMAIL PROTECTED] This e-mail has been digitally signed with GnuPG See: http://gnupg.org/ for more details signature.asc Description: This is a digitally signed message part
Re: Question about the vulnerability
Freemor, thanks a lot - that makes perfect sense...glad I upgraded :) -Nd On Sat, 11 Aug 2007 18:13:12 -0400 Freemor [EMAIL PROTECTED] wrote: On Sat, 2007-11-08 at 15:33 -0400, [EMAIL PROTECTED] wrote: Roger, thank you for your response - I did follow that thread when it came out and upgraded my systems. The question I have is not really about the vulnerability but more of a general operational one - in what situations is the control port actually used? If I am not running a Tor server but using Tor in client mode, does the Control Port get used? What is it used for? The control port is used to let you, another program, another computer, control/communicate with TOR. If you just install tor as a client and don't mess about with the config file the control port should be closed by default. if you install a tor/Vidalia bundle the control port will need to be open so Vidalia can control/communicate with TOR Same would go for if you were using TorK, if your TOR is on a net appliance and configured to be controlled/communicate with Vidalia/TorK/etc on another machine. Privoxy doesn't fall into this discussion as it just shuttles data through tor rather then communicating with TOR you can read more on the control port at: http://tor.eff.org/tor-manual.html.en and http://tor.eff.org/svn/trunk/doc/spec/control-spec.txt long story short... if you are using a GUI for tor the control port is most likely open. Freemor [EMAIL PROTECTED] Freemor [EMAIL PROTECTED] This e-mail has been digitally signed with GnuPG See: http://gnupg.org/ for more details -- Get a degree! Free information on Certification Physical Therapist. Click Here. http://tagline.hushmail.com/fc/Ioyw6h4fRLWZWkIzNZJNNzVVIgTeOmAatXV7Kfk5GA0udqOE9a0iL3/
Re: New Hidden Wiki
Respect and stay safe. You are a hero. Comrade Ringo Kamens On 8/11/07, Matthew [EMAIL PROTECTED] wrote: I just put up a new hidden wiki. It's at http://624eb2rznzhtq2cz.onion/ With a little googling, I found a page that had the main page of the old hidden wiki, so I put it up as the main page of the new hidden wiki. It still needs some updating to the hidden services, conversion of the rest of the camelcase links to mediawiki links, re-creation of the other pages, and anything else I haven't thought of. --Matt
