Opened 3 years ago

Closed 3 years ago

#17980 closed defect (fixed)

Torify/Torsocks - Possible bug with OSX's default curl binary

Reported by: z0xcd Owned by: dgoulet
Priority: High Milestone:
Component: Core Tor/Torsocks Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

OSX default curl binary is not being torified when using torify or torsocks. Using: curl --proxy socks5h://curl:curl@127.0.0.1:9050/ works fine, however, running torify/torsocks curl <url> does not work.

Example:

$ torify curl ifconfig.co/all.json # returns original IP
$ curl --proxy socks5h://curl:curl@127.0.0.1:9050/ ifconfig.co/all.json # returns the expected output
$ torify curl https://check.torproject.org/ | grep -i congratulations # returns nothing

Torify does work on the Homebrew's curl version with the torify command, but it does not work when running a torify --shell (nor does the default OSX's curl):

$ torify --shell
/usr/local/bin/torsocks: New torified shell coming right up...
$ /usr/local/opt/curl/bin/curl ifconfig.co/all.json # returns my real IP
$ /usr/bin/curl ifconfig.co/all.json # returns my real IP
$ wget ifconfig.co/all.json # returns my real IP too (using homebrew's wget version 1.17.1)

OSX default curl:

$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

Homebrew's curl version:

$ /usr/local/opt/curl/bin/curl --version
curl 7.46.0 (x86_64-apple-darwin15.0.0) libcurl/7.46.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

Apple makes this difficult to debug and find out why, due it's Security Integrity Protection (executables signed with restricted entitlements), so I copied OSX's default curl binary to /tmp, ran [1] then I was able to run btruss on the default curl, however I wasn't able run torify with btruss , since [1] didn't work, btruss output didn't have anything interesting as far as I know.

Attachments: with-torify.txt for the output of sudo torify dtruss ./curl ifconfig.co/all.json and no-torify.txt for sudo dtruss ./curl ifconfig.co/all.json

I am willing to help debug this if needed, but I would like some help to make this easier, since disabling OSX's System Integrity Protection is not a good idea, and apparently code-signing didn't work with me.

[1] codesign -f -s `whoami` curl

OSX version: 10.11.2 (15C50)
Torsocks version: Torsocks 2.1.0
Tor version: 0.2.7.6

Child Tickets

Attachments (2)

with-torify.txt (29.5 KB) - added by z0xcd 3 years ago.
dtruss with torify
no-tor.txt (29.4 KB) - added by z0xcd 3 years ago.
dtruss without torify

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by z0xcd

Attachment: with-torify.txt added

dtruss with torify

Changed 3 years ago by z0xcd

Attachment: no-tor.txt added

dtruss without torify

comment:1 Changed 3 years ago by teor

Apple's system integrity prevention also prevents users from injecting shared libraries into some binaries. This could be a cause of this issue. (And if this is the case, there may be nothing we can do to fix this.)

That said, these commands all work fine for me, whether I am using /usr/bin/curl or /opt/local/bin/curl (MacPorts).

I am running OS X 10.11.2, but I have the developer tools installed and I upgraded from 10.10. Either of these may mean that System Integrity Protection is turned off.

comment:2 in reply to:  1 Changed 3 years ago by z0xcd

Replying to teor:

Apple's system integrity prevention also prevents users from injecting shared libraries into some binaries. This could be a cause of this issue. (And if this is the case, there may be nothing we can do to fix this.)

That said, these commands all work fine for me, whether I am using /usr/bin/curl or /opt/local/bin/curl (MacPorts).

I am running OS X 10.11.2, but I have the developer tools installed and I upgraded from 10.10. Either of these may mean that System Integrity Protection is turned off.

You are right. Apple now ships with El Capitan by default, and AFAIK it also ships with SIP on. I have installed Yosemite and from Yosemite upgrade to El Capitan, which kept SIP enabled by default. Perhaps checking if SIP is on when running Torsocks and alerting about this issue would be more secure, people could rely on Torsocks to torify any Apple's default binary and get bad results.
Perhaps something like this?

diff --git a/../Cellar/torsocks/2.1.0/bin/torsocks b/Users/0xcflow/torsocks
index 522d058..9abda23 100755
--- a/../Cellar/torsocks/2.1.0/bin/torsocks
+++ b/Users/0xcflow/torsocks
@@ -67,25 +67,9 @@ LIB_NAME="libtorsocks"
 SHLIB_EXT="dylib"
 SHLIB="${LIBDIR}/${LIB_NAME}.${SHLIB_EXT}"

-check_platform ()
-{
-    unamestr=`uname`
-    if [ "$unamestr" == 'Darwin' ]; then
-        sipcheck='csrutil status | grep enabled'
-        if [ "$sipcheck" == 'enabled']; then
-            return true;
-        fi
-    fi
-    return false;
-}
-
 # Set DYLD_INSERT_LIBRARIES variable with torsocks library path.
 set_ld_preload ()
 {
-    if [ check_platform ]; then
-        echo "Torify does not work on a SIP protected OSX"
-        exit 1;
-    fi
        if [ -z "$DYLD_INSERT_LIBRARIES" ]; then
                export DYLD_INSERT_LIBRARIES="${SHLIB}"
        else
Last edited 3 years ago by z0xcd (previous) (diff)

comment:3 Changed 3 years ago by teor

No, SIP is enabled on my machine:

$ csrutil status
System Integrity Protection status: enabled.

I'm using a very old version of torsocks from MacPorts, and it still works with SIP enabled:

$ port list torsocks
torsocks                       @1.2            net/torsocks

And the torified commands all work for me:

$ torify curl ifconfig.co/all.json
# returns Tor Exit IP

So we broke something between 1.2 and 2.1 that is required for torsocks to work under SIP.
Let's work out what that was, and fix it instead.

comment:4 Changed 3 years ago by dgoulet

Status: newaccepted

Accept a bunch of tickets for torsocks.

comment:5 Changed 3 years ago by dgoulet

Priority: MediumHigh
Severity: NormalMajor

I would be very happy to get a patch to fix this. I think it's probably linked to #17936 as well. I do not have an OS X to test so I'll have to trust someone with OS X to test any patch. Thanks

comment:6 Changed 3 years ago by dgoulet

Keywords: torsocks torify osx removed
Resolution: fixed
Status: acceptedclosed
Version: Tor: 0.2.7.6

Ok we merged a band-aid for this in torsocks 2.2.0 stable now released. Closing this one as we should open a new ticket for "let's try to bypass that integrity protection" if we think it's a good idea.

Note: See TracTickets for help on using tickets.