TOR-022 — tor-android-service – Use of unmaintained third-party components
Code from unmaintained third parties is used within the tor-android service shipped with the Tor browser for Android.
- Vulnerability type: CWE-1104: Use of Unmaintained Third Party Components
- Threat level: Moderate
Technical description:
Code from unmaintained third parties is used within the tor-android service shipped with the Android Tor browser. The tor-android service starts a Socks5 server (jsocksAndroid) to route every request of an application through Tor. To achieve this, the tun2socks module is used, which forwards all connections from a given TUN device to the Sock5 server and consequently through Tor. The jsocksAndroid project is written in Java, but its last commit was 8 years ago. However the tun2socks module, implemented in C, from the badvpn project represents a higher security risk. The master branch of the badvpn project used is 9 commits ahead, 186 commits behind the ambrop72:master fork. In turn, the ambrop72:master repository was archived on Aug 22, 2021, and its last release was in 2015. Upon further evaluation, we found that the tun2socks project uses C code from 2012. In short, this project is not maintained.
Impact:
Depending on the configuration, it might be possible for other apps to communicate with the interface, e.g., when an application is torified. A malicious application could exploit vulnerabilities within the tun2socks module to deanonymize the user or run arbitrary code inside the tor-android service. Because of this pentest's broad scope and the limited time available, it was not feasible to audit the tun2socks module. However, this finding is rated as moderate severity due to the risk potential.
Recommendation:
- Update the dependencies and switch to other components that are actively maintained.
- Alternatively, perform a code audit focusing on the tun2socks module or analyze and reduce the possible impact of security issues occurring in its code.