Beyond Anonymity: Tor Vulnerable to 17 Exploits, Including High-Risk

The Tor Project’s development team has released a report detailing the findings of a second audit conducted by Radically Open Security from April to August 2023. This examination scrutinized the code for operating exit nodes, the Tor Browser, infrastructure components (metrics collection, SWBS, Onionoo API), and testing utilities. The primary aim of this inspection was to evaluate enhancements made to increase the speed and reliability of the Tor network, such as the Conflux traffic splitting protocol introduced in Tor version 0.4.8 and methods to protect Onion services from DoS attacks through proof of work.

During the audit, 17 vulnerabilities were identified, one of which was deemed critical. Four vulnerabilities were classified as medium severity, while the remaining 12 were considered minor. The most significant vulnerability was discovered in the onbasca application (Onion Bandwidth Scanner), used for analyzing the bandwidth of network nodes. This flaw involved the potential for Cross-Site Request Forgery (CSRF) attacks through HTTP GET requests, allowing an attacker to manipulate the “bridge_lines” parameter and add their bridge nodes to the database.

The vulnerabilities of medium severity include:

• Denial of Service in metrics-lib: transmitting a large compressed file could lead to memory exhaustion, akin to a zip bomb.
• Usage of the outdated tun2socks module in tor-android-service, employed by the Tor Browser for Android.
• Out-of-bounds zero-byte write in the Tor client due to improper handling by the read_file_to_str_until_eof function.
• A vulnerability in Simple Bandwidth Scanner (sbws) that allows HTTPS connections to be downgraded to HTTP via redirect, potentially leading to the leakage of API tokens when exploited by an attacking exit node of Tor.