Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #13256

Closed (moved)
(moved)
Open
Created Sep 26, 2014 by Trac@tracbot

torsocks 1.3 possibly leaks username

Hi!

Disclaimer: Not sure if I should have opened this bug report since it's for an old version and torsocks is now on 2.0, but 1.3 is the current version of torsocks in the Ubuntu 14.04 (LTS) repositories, which means it will still be so for some time.

Recently while playing with torsocks, wget and wireshark, I discovered something that looks like the name of the user running torsocks is leaked somehow. It's reproducible always that https is not used and torsocks is configured to use SOCKS4 (SOCKS5 unaffected). Please see the attached a screenshot for easier explanation.

Thankfully, these bytes won't leave the loopback interface hardly ever thanks to the default configuration of Tor, but in some configurations it could be considered dangerous. Furthermore, doc/socks/socks-extensions.txt says that usernames are ignored in SOCKS4 and SOCKS4A. Isn't it better to send random characters then instead of the user running it?

I haven't had a deep look at the torsocks code but I think these calls are the key : src/socks.c: user = getpwuid(getuid());

These calls seem that were there since the beginning of the project but are not anymore in the latest version.

If you considered this is a bug, we should notify distributions. Otherwise if this behaviour is expected, just close this report ;)

Trac:
Username: p4blog

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking