|
Serith (OP)
|
 |
April 25, 2012, 05:20:13 PM |
|
The following sequence of events occurs when somebody is unmasked: - VictimHost connects through MyTorNode, to SomeWebSite
- MyTorNode changes outbound traffic to SomeWebSite so that HTTP1.0 and gzip compression are not used (HTTO headers are stripped / changed)
- MyTorNode replaces inbound traffic from SomeWebSite, inserting and <iframe> reference to MyEvilWebServer. This reference also contains a recognizable Cookie
- MyEvilWebServer receives request via Tor from VictimHost, including Cookie, serves up Trigger. Trigger contains:
- Javascript code that requests "/VictimHostName_VictimHostIP.gif" from MyEvilWebServer
- A Shockwave Flash Movie that makes a direct connection to MyEvilWebserver (since Flash doesn't support / know about Tor / proxies / etc, this will be a direct connection)
- Javascript executing on VictimHost makes VictimHost connects via Tor and request /VictimHostName_VictimHostIP.gif
- Shockwave flash executing on VictimHost connects directly, without Tor, and resends the Cookie, allowing mapping between the original page being browsed via Tor, and the real VictimHostIP
Discussion of the vulnerability: Hacker News: The Underpants Project |
|
|
|
|
|
Red Emerald
|
|
April 25, 2012, 05:23:07 PM |
|
Good information, but not new news at all. This is why the Tor Browser Bundle and Tails have javascript and flash disabled by default.
|
|
|
|
|
mila
|
|
April 25, 2012, 05:32:42 PM |
|
no kidding, Sherlock?
I mean, thank you for rising awareness but it's really well known or at least documented and the bundled browser has the settings right by default.
|
your ad here:
|
|
|
|
|
|
Serith (OP)
|
|
April 25, 2012, 06:07:18 PM |
|
no kidding, Sherlock?
I mean, thank you for rising awareness but it's really well known or at least documented and the bundled browser has the settings right by default.
Any link on this forum that I missed? |
|
|
|
|
|
|
a nice guy
Newbie
 Offline
Activity: 27
Merit: 0
|
|
April 25, 2012, 06:50:06 PM |
|
Hello,
just setup a vm or real hardware working as a proxy to route all the traffic from eth0(internal network) to eth1(external network).
eth1 routes then all traffic through tor.
Now setup a 2nd vm which has only one port directly connected to eth0 on the proxy.
ALL traffic is now routed through tor and immune to those attacks.
I think there is a tutorial on the torwiki too.
kind regards,
a nice guy
|
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5376
Merit: 13348
|
|
April 25, 2012, 07:14:55 PM |
|
You can't do it with just JavaScript, which is why torbutton allows JavaScript. You need a plugin like Flash.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
Red Emerald
|
|
April 25, 2012, 08:25:50 PM |
|
Hello,
just setup a vm or real hardware working as a proxy to route all the traffic from eth0(internal network) to eth1(external network).
eth1 routes then all traffic through tor.
Now setup a 2nd vm which has only one port directly connected to eth0 on the proxy.
ALL traffic is now routed through tor and immune to those attacks.
I think there is a tutorial on the torwiki too.
kind regards,
a nice guy
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX |
|
|
|
cryptoanarchist
Legendary
Offline
Activity: 1120
Merit: 1003
|
|
April 26, 2012, 03:55:22 PM |
|
Wow...if you didn't know this before doing something illegal on the internet, maybe crime isn't your thing.
|
I'm grumpy!!
|
|
|
|
Red Emerald
|
|
April 26, 2012, 05:57:53 PM |
|
Wow...if you didn't know this before doing something illegal on the internet, maybe crime isn't your thing.
Tor and illegal actions do not at all have to be connected. There are plenty of legitimate reasons for usage of Tor. I don't like when people automatically assume anonymity is only needed for illegal purposes. I don't want to live in that world. |
|
|
|
Xenland
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
April 29, 2012, 02:15:22 AM |
|
Every poster above or below this post should be considered a terrorist
I didn't know this, thanks for the post OP.
|
|
|
|
|
a nice guy
Newbie
Offline
Activity: 27
Merit: 0
|
|
May 01, 2012, 08:49:52 AM |
|
Every poster above or below this post should be considered a terrorist
Is this a bad or a good thing?  |
|
|
|
|
|
Tuxavant
|
|
May 01, 2012, 02:18:55 PM |
|
I don't like disclosing TTPs, but if you put more than a few brain cells on this problem, it's pretty easy to mitigate it.
|
|
|
|
|
Tuxavant
|
|
May 01, 2012, 03:30:07 PM |
|
But it really sucks when anonymity is sometimes needed. Talking about some politics where I live can get you 15 years in jail.
WAY too many laws to break now aday... Tell someone is a jerk from with Arizona Internet connection and you go to jail. WTF. There is no such thing as a "law abiding citizen" any longer. |
|
|
|
|
