GitLab

Robert Connolly from Matta Consulting reports that the config parsing bug in #5090 (moved) (which he found independently) is exploitable.

Examples for triggering it include

SETCONF aaaa="bbbbbbbbbbbb\x"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

and setting a torrc line of

ContactInfo "Here I \x"amaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

Fortunately, it looks like it can only be triggered once you've authenticated to the control port (in which case you can already screw the user) or if you can edit the torrc file (same). So it's not harmful.

Is that really true? Are there any other instances of the bug? Any other ways of reaching it? Does the different trust model for the control socket change the above paragraph?

Jake opened #5210 (moved) to avoid future things like this being exploitable in practice.

And Nick points out:

We ought to audit uses of get_escaped_string_length in control.c
nevertheless.  It is a *PHENOMINALLY BAD IDEA* in C to have
independent functions that count the length of something and that
parse it.  We should look for other cases of that antipattern too.

(This ticket started out as a secteam discussion, until we decided that it didn't look like a remote execution bug.)