TTP-03-004 WP1: Limited SSRF attack through Bridgestrap

Vulnerability type: TTP-03-004 WP1: Limited SSRF attack through Bridgestrap
Threat level: _Info_

Bridgestrap was discovered to have no protection against SSRF attacks. Specifically, the Webtunnel transport allows an attacker to send HTTP GET requests to an arbitrary path on web servers. If a bridge is tested that resolves to an internal IP, a limited SSRF attack could be abused against internal services on the Tor Project’s infrastructure.

There are a number of advanced SSRF techniques that could result in an RCE if specific types of internally hosted services become available. For example, using the TLS mode of Webtunnel, an attacker could abuse the TLS Poison (https://i.blackhat.com/USA-20/Wednesday/us-20-Maddux-When-TLS-Hacks-You.pdf) attack against an internal Memcached database.

It is recommended to ensure that deployments of Bridgestrap have zero access to private resources. Alternative solutions involve ensuring that bridges do not resolve to private IP addresses that are vulnerable to DNS rebinding attacks. This would require additional protections to mitigate the issue in a comprehensive manner.