Issue F. `oonid` Lacks Authentication Checks

At 2014-05-05 13:07:37 Arturo Filastò wrote: Reported: 2014-04-10

Applies To: ooni-probe

Synopsis:

By default, oonid listens on a public IP address and does not have a mechanism for authentication. This allows anyone who can connect to the daemon to run tests, which may aid malicious attacks, such as using the TCP connection test for port scanning.

Impact:

The attacker can coerce the ooni-probe daemon into performing attacks against other systems without the operator's consent.

Preconditions:

ooni-probe must be installed and oonid must be running and listening on a public IP address.

Feasibility:

Exploitation is easy, since it can be done using a web browser to connect to the ooni-probe daemon, upload test inputs, and run tests. This can also be automated with a script that makes requests to the API.

Verification:

This vulnerability has been verified by source code inspection and by running the oonid in the GitHub repository.

Technical Details:

The TCP server is created in ooni-probe/ooni/oonid.py:

    def getOonid():
        director = Director()
        director.start()
        oonidApplication.director = director
        return internet.TCPServer(int(config.advanced.oonid_api_port), oonidApplication)

Mitigation:

Users can mitigate this risk by setting up firewall rules to prevent unauthorized access to oonid.

This issue was automatically migrated from github issue https://github.com/TheTorProject/ooni-probe/issues/319