Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Onion vulnerability #873

kurnevsky opened this issue Apr 15, 2018 · 5 comments

Onion vulnerability #873

kurnevsky opened this issue Apr 15, 2018 · 5 comments
network Network P0 Critical priority security Security


Copy link

kurnevsky commented Apr 15, 2018

While implementing tox in rust we've found vulnerability in onion module.

Currently onion module allows to send any byte sequence through onion path. It can lead to possibility to bypass onion and get IP address (and friends list eventually) knowing only long term public key.

Let's say Alice announces herself to Bob sending AnnounceRequest packet through onion path. After announcement Bob knows Alice's long term public key and onion return addresses to send packets back to Alice. But Bob doesn't know IP address of Alice and want to find it out. All he needs to do is send NAT ping request with his own DHT public key to Alice through onion path using onion return addresses he knows. If Bob is lucky enough to have close DHT public key to Alice's key Alice will redirect this ping request directly to Bob. After receiving his own request Bob will know IP address of Alice.

Now, if somewone want to know somebody's IP address he can generate DHT key close enough to long term public key, wait for announce request, run many DHT nodes and send pings to them one by one.

So I suggest to restrict packet kinds that can be sent through onion path: #872

I also monitored tox network through several DHT nodes and didn't notice anything other than onion announce/data packets is sent through onion. So this change shouldn't break anything.

@sudden6 sudden6 added network Network security Security P0 Critical priority labels Apr 15, 2018
Copy link

sudden6 commented Apr 15, 2018

I'm not familiar with the DHT and onion, but isn't the long term public key only exchanged after a friend request is answered?

ping @zugz @iphydf

Copy link

Diadlo commented Apr 15, 2018

Bob can accept friend request and get direct connection to Alice => find Alice's IP. Am I right?

Copy link

kpp commented Apr 15, 2018

Have a look at tox-rs/tox#37

Copy link

@sudden6 long term public key is part of tox address, so you always know it, but can't (in theory) connect it with IP or DHT key without being a friend to user with this key.
@Diadlo yes, if Alice made this request.

Copy link

nurupo commented May 20, 2018

Fixed by #872.

@nurupo nurupo closed this as completed May 20, 2018
@robinlinden robinlinden modified the milestone: v0.2.11 Mar 20, 2020
@iphydf iphydf added P3 Low priority and removed P3 Low priority labels Feb 4, 2022
@iphydf iphydf added this to the v0.2.2 milestone Feb 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
network Network P0 Critical priority security Security
None yet

No branches or pull requests

7 participants