Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#7029 closed defect (fixed)

Sending files disregards proxy settings for account

Reported by: ioerror Owned by:
Priority: normal Milestone: 0.15
Component: None Version: hg
Severity: critical Keywords: security privacy
Cc: Blocked By:
Blocking: OS: All

Description

Bug description

When using a SOCKS5 proxy, a remote user may de-anonymize or force a proxy bypass by sending a user a file.

Steps to reproduce

Configure two clients to use Tor. The first (pidgin) client offers a file. The second (gajim) client accepts. The second client will then connect directly to the address offered by the first client. The second client should attempt to connect to that IP address through the configured proxy only.

When the second (gajim) client offers to send a file it does not leak the IP address but it does bind a local TCP port to *:someport - this should not happen when a proxy is being used.

This should be treated as a case of double NAT and the only way to safely share the file is to use a file proxy or other third party.

Interestingly, the *:someport is always *:28011 - even after multiple file tries. Shouldn't that be a randomly selected port?

Software versions

changeset: 13361:edee1e4ca03a

Change History (12)

comment:1 follow-up: Changed 5 years ago by zimio

  • Status changed from new to needinfo

"Interestingly, the *:someport is always *:28011 - even after multiple file tries. Shouldn't that be a randomly selected port? "


No that's Gajim configured default port for listening socks5 file transfer.

Which hg branch are you using?

comment:2 in reply to: ↑ 1 Changed 5 years ago by ioerror

Replying to zimio:

"Interestingly, the *:someport is always *:28011 - even after multiple file tries. Shouldn't that be a randomly selected port? "


No that's Gajim configured default port for listening socks5 file transfer.

It might make sense since it's sent to the authorised client to randomize that port.

Which hg branch are you using?

I did the following:

hg clone http://hg.gajim.org/gajim gajim

hg tip reports:

tag: tip parent: 13359:e59e6777df1d user: Yann Leboulanger <asterix@…> date: Wed Nov 02 11:23:02 2011 +0100 summary: auto-check for updates of installed plugins

comment:3 follow-up: Changed 5 years ago by asterix

once again I don't use / know about TOR, so I don't understand everything you say, but :

  • if what you want is an option to not send local IPs, then yes it's doable
  • we do have to bind the port so that receiver can try to connect, and if that succeed, announce sender that it's the way file should be transfered.
  • if we use a random port, hard to configure your router to forward the port.

comment:4 in reply to: ↑ 3 ; follow-up: Changed 5 years ago by ioerror

Replying to asterix:

once again I don't use / know about TOR, so I don't understand everything you say, but :

  • if what you want is an option to not send local IPs, then yes it's doable

Correct. As it stands already, pidgin leaks the public IP and 127.0.0.1 whereas Gajim only leaks 127.0.0.1 I'd prefer that Gajim tried to use a proxy without any leaking at all.

  • we do have to bind the port so that receiver can try to connect, and if that succeed, announce sender that it's the way file should be transfered.

Is there a way to force the use of a proxy? Or force a specific hostname to be sent?

I imagine a world where you use Tor and then send files by sending a .onion: https://www.torproject.org/docs/hidden-services.html.en

  • if we use a random port, hard to configure your router to forward the port.

Ah, I think that's why people use UPnP and NAT-PMP but I understand. That's a tough call. :(

comment:5 in reply to: ↑ 4 ; follow-up: Changed 5 years ago by asterix

Replying to ioerror:

Replying to asterix:

once again I don't use / know about TOR, so I don't understand everything you say, but :

  • if what you want is an option to not send local IPs, then yes it's doable

Correct. As it stands already, pidgin leaks the public IP and 127.0.0.1 whereas Gajim only leaks 127.0.0.1 I'd prefer that Gajim tried to use a proxy without any leaking at all.

  • we do have to bind the port so that receiver can try to connect, and if that succeed, announce sender that it's the way file should be transfered.

Is there a way to force the use of a proxy? Or force a specific hostname to be sent?

not yet, but if we add an option to not send local IPs, that will be possible to send only proxies. To send specific hostnames, there is ft_add_hosts_to_send option.

  • if we use a random port, hard to configure your router to forward the port.

Ah, I think that's why people use UPnP and NAT-PMP but I understand. That's a tough call. :(

Not all router supports that, but Gajim has IGD implemented (for PMP, my router doesn't support it, so I cannot test and implement it)

comment:6 in reply to: ↑ 5 ; follow-up: Changed 5 years ago by ioerror

Replying to asterix:

Replying to ioerror:

Replying to asterix:

once again I don't use / know about TOR, so I don't understand everything you say, but :

  • if what you want is an option to not send local IPs, then yes it's doable

Correct. As it stands already, pidgin leaks the public IP and 127.0.0.1 whereas Gajim only leaks 127.0.0.1 I'd prefer that Gajim tried to use a proxy without any leaking at all.

  • we do have to bind the port so that receiver can try to connect, and if that succeed, announce sender that it's the way file should be transfered.

Is there a way to force the use of a proxy? Or force a specific hostname to be sent?

not yet, but if we add an option to not send local IPs, that will be possible to send only proxies.

That sounds good. I think this option should be added automatically when using a proxy.

To send specific hostnames, there is ft_add_hosts_to_send option.

How does one set that?

  • if we use a random port, hard to configure your router to forward the port.

Ah, I think that's why people use UPnP and NAT-PMP but I understand. That's a tough call. :(

Not all router supports that, but Gajim has IGD implemented (for PMP, my router doesn't support it, so I cannot test and implement it)

I implemented both of those in tor-fw-helper: https://gitweb.torproject.org/tor.git/tree/HEAD:/src/tools/tor-fw-helper

In my experience NAT-PMP is useful only for Apple and some Linux gateways. IGD is useful in a lot more places. In all cases, we can expect a random port to work perfectly and an option to set a static port makes sense, I think.

comment:7 in reply to: ↑ 6 Changed 5 years ago by asterix

Replying to ioerror:

Replying to asterix:

not yet, but if we add an option to not send local IPs, that will be possible to send only proxies.

That sounds good. I think this option should be added automatically when using a proxy.

No, if you send a file to a contact inside a local network and have proxy configured, it's not a good idea to propose only proxy.

To send specific hostnames, there is ft_add_hosts_to_send option.

How does one set that?

it's an advanced option. Configuring your router to forward a port and configure Gajim to announce your real IP is not something for common users. Gajim already does UPnP-IGD for common users.

In my experience NAT-PMP is useful only for Apple and some Linux gateways. IGD is useful in a lot more places. In all cases, we can expect a random port to work perfectly and an option to set a static port makes sense, I think.

Ok, good to know. You can always write a plugin that randomly changes the file transfer port after every transfer. But that's not something I would integrate in Gajim. it's no possible to configure a fw that accepts connection on gajim file trasnfer port with that.

comment:8 Changed 5 years ago by Yann Leboulanger <asterix@…>

  • Milestone set to 0.15
  • Resolution set to fixed
  • Status changed from needinfo to closed

(In [c0915227404c]) add advanced option to disable sending local IPs when doing a file transfer. Fixes #7029

comment:9 Changed 5 years ago by Dicson

maybe forgotten changes in [c0915227404c]? advanced option not used

comment:10 Changed 5 years ago by Yann Leboulanger <asterix@…>

(In [23df7b0c0631]) forgot commit: use ft_send_local_ips option. Fixes #7029

comment:11 Changed 4 years ago by Yann Leboulanger <asterix@…>

(In [af64b222a0bd]) add advanced option to disable sending local IPs when doing a file transfer. Fixes #7029

comment:12 Changed 4 years ago by Yann Leboulanger <asterix@…>

(In [f60934dda509]) forgot commit: use ft_send_local_ips option. Fixes #7029

Note: See TracTickets for help on using tickets.