Developers of the anonymous network Tor have published the results of the audit of the Tor Browser and the tools developed by the project ooni probe, rdsys, bridgedb, and Conjure used to bypass censorship. The audit, conducted by Cure53 from November 2022 to April 2023, identified 9 vulnerabilities, two of which were classified as dangerous, one as average, and six as slight. Additionally, 10 non-security-related problems were found in the code base. Overall, the Tor project code is deemed to follow safe programming practices.
The first dangerous vulnerability was found in the backend of the distributed system rdsys. This system provides the delivery of censored resources to users, such as proxy lists and links for downloading. The vulnerability allowed an attacker to register their own malicious resource for unsuspecting users. The attack involved sending an HTTP request to the RDSYS processor without requiring authentication.
The second dangerous vulnerability was discovered in the Tor Browser. It was caused by the absence of a digital signature check when receiving a list of bridge nodes via RDSYS and BRIDgedB. As the list is loaded prior to connecting to the Tor network, the lack of cryptographic signature verification allowed attackers to replace the contents of the list. This could be achieved through intercepting connections or compromising the server through which the list is distributed. Successful exploitation of this vulnerability would enable attackers to establish user connections through compromised bridge nodes.
The vulnerability of average danger was found in the RDSYS subsystem within the assembly dispatch script. This vulnerability allowed attackers to elevate their privileges from the “Nobody” user to the RDSYS user if they had access to the server and the ability to write to the temporary files directory. The attack involved replacing the executable file located in the /TMP directory. Gaining RDSYS user rights would enable attackers to modify executable files executed through RDSYS.