Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#17303 closed defect (fixed)

Bad exits inject port 8123 into HTTP redirects

Reported by: ikurua22 Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/DirAuth Version: Tor: unspecified
Severity: Critical Keywords:
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Someone who running Tor exit is using Polipo to analyze traffic.

I'm browsing HTTP via Tor and suddenly I was redirected to
host:8123. TCP 8123 is used by Polipo.

Please stop this fker by adding "Fraud detection" system on tor itself.

e.g.,
Tor should add its fingerprint to temporary blacklist and share to Tor
project if any conditions apply:

  1. all HTTP requests are redirected to !HTTP. (80--->8123)
  2. make a HTTP connection to known website(not HTTPS), and verify it.

Child Tickets

Attachments (1)

http-redirect.py (1.9 KB) - added by dcf 4 years ago.
exitmap module that checks for interference with HTTP redirects.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 4 years ago by nickm

Yuck. Please send us the identity of the exit node so we can block them more?

comment:2 Changed 4 years ago by yawning

Component: TorDirAuth

This is an example of our BadExiting system failing due to the human element. dcf brought this up via e-mail on 2015/10/05, and provided a list of fingerprints, and an exitmap module to detect them automatically...

comment:3 Changed 4 years ago by ikurua22

Severity: Blocker

I was redirected to another.site:8123 just now.
Looks like this bad exit still exist in Tor network...

@nickm
What lines should I add to Tor server's torrc?
I'm not using TBB.

@yawning
Do you have a URL of the e-mail so I can read it?

Last edited 4 years ago by ikurua22 (previous) (diff)

comment:4 Changed 4 years ago by ikurua22

Severity set to Blocker

What!?
I swear I didn't select "Serverity" properties... sorry.

comment:5 Changed 4 years ago by ikurua22

Severity: BlockerCritical

Anyone who expoerienced force redirection to
www.(anything).com:8123?

Why I'm redirecting to 8123!? I'm 100% sure that someone in Tor redirect me while I'm browsing.
(Do not advise for virus scan. I seriously want to kick out this guy from Tor network!!)

Changed 4 years ago by dcf

Attachment: http-redirect.py added

exitmap module that checks for interference with HTTP redirects.

comment:6 Changed 4 years ago by dcf

Here is a module for exitmap that checks for interference with HTTP redirects. It finds many (around 50) exit nodes that are injecting port 8123 into redirects.

To run it, copy http-redirect.py into exitmap's src/modules directory. Then run:

./bin/exitmap http-redirect

The output lines that indicate interference look like this:

2015-10-17 10:54:42,052 [ERROR]: 473E58937CC637BF1CEA67F02738935A98C15177 http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/

It writes a file containing the full HTTP response for every interfering exit.

comment:7 Changed 4 years ago by dcf

Summary: Add Fraud Detection On Tor Core.Bad exits inject port 8123 into HTTP redirects

comment:8 Changed 4 years ago by dcf

Here is what I have been able to find about these exits.

They seem to only affect plain HTTP redirects. For example, the URL

http://arstechnica.com/?p=716619

should redirect to the URL

http://arstechnica.com/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/

but some exits instead rewrite the URL to be

http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/

Here is an untampered header:

HTTP/1.1 301 Moved Permanently
connection: close
content-type: text/html; charset=UTF-8
date: Sun, 04 Oct 2015 20:31:42 GMT
location: http://arstechnica.com/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/
server: nginx
set-cookie: country=US; path=/
transfer-encoding: chunked
x-ars-server: web03

And here is a tampered header. Notice that beyond the addition of ":8123", it also changed "Transfer-Encoding: chunked" to "Content-Length: 0".

HTTP/1.1 301 Moved Permanently
connection: close
content-length: 0
content-type: text/html; charset=UTF-8
date: Sun, 04 Oct 2015 20:37:30 GMT
location: http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/
server: nginx
set-cookie: country=NL; path=/
x-ars-server: web09

I ran attachment:http-redirect.py three times in the past weeks.

2015-10-04
54 bad exits
2015-10-17
39 bad exits
2015-11-10
8 bad exits

comment:9 in reply to:  8 ; Changed 4 years ago by teor

Replying to dcf:

Here is what I have been able to find about these exits.

They seem to only affect plain HTTP redirects. For example, the URL

http://arstechnica.com/?p=716619

should redirect to the URL

http://arstechnica.com/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/

but some exits instead rewrite the URL to be

http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-announce-vision-for-tor-exit-relay-in-every-library/

It looks like this is a misconfigured polipo or other caching proxy in front of the exit.
I can't imagine how this sort of interference could be deliberate or useful.

However, regardless of intent, it is interfering with traffic. It's also evidence that other, more subtle analysis/interference may be happening.

Thanks for this analysis, dcf, and the detailed update.

I ran attachment:http-redirect.py three times in the past weeks.

2015-10-04
54 bad exits
2015-10-17
39 bad exits
2015-11-10
8 bad exits

I'm assuming that the exit numbers are decreasing because they're listed by the DirAuths as bad exits, in response to your emails (or running exitmap themselves).

It seems we're solving the problem, albeit incrementally.

Are the remaining exits new instances, or existing instances that haven't been blocked yet?

comment:10 in reply to:  9 ; Changed 4 years ago by dcf

Replying to teor:

Replying to dcf:

I ran attachment:http-redirect.py three times in the past weeks.

2015-10-04
54 bad exits
2015-10-17
39 bad exits
2015-11-10
8 bad exits

I'm assuming that the exit numbers are decreasing because they're listed by the DirAuths as bad exits, in response to your emails (or running exitmap themselves).

It seems we're solving the problem, albeit incrementally.

Are the remaining exits new instances, or existing instances that haven't been blocked yet?

Thanks, I didn't realize that they were already BadExits. The 8 exits from today are all new and were not in the previous scans.

comment:11 in reply to:  10 ; Changed 4 years ago by teor

Replying to dcf:

Replying to teor:

Replying to dcf:

I ran attachment:http-redirect.py three times in the past weeks.

2015-10-04
54 bad exits
2015-10-17
39 bad exits
2015-11-10
8 bad exits

I'm assuming that the exit numbers are decreasing because they're listed by the DirAuths as bad exits, in response to your emails (or running exitmap themselves).

It seems we're solving the problem, albeit incrementally.

Are the remaining exits new instances, or existing instances that haven't been blocked yet?

Thanks, I didn't realize that they were already BadExits. The 8 exits from today are all new and were not in the previous scans.

I am assuming that they are disappearing because they were being tagged as BadExits in response to this issue - I don't know for sure.

I'm not sure if the bad exit list is public.

comment:12 in reply to:  11 Changed 4 years ago by dcf

Replying to teor:

I'm not sure if the bad exit list is public.

For the current consensus you can just do:
https://onionoo.torproject.org/details?flag=BadExit

comment:13 Changed 4 years ago by ikurua22

How about adding this detection to Tor itself, and force users to use latest Tor(kick out old version)?

comment:14 Changed 3 years ago by cypherpunks

Resolution: fixed
Status: newclosed

Closing this for now; will reopen when I got another attack. Ty guys.

Last edited 3 years ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.