10/20: Discover two security vulnerabilities in Tor

Remote OOM a target relay

Developed a PoC. It worked.

Report responsibly to Tor security mailing list with encrypted email.

Meet with Tor developers to discuss. It's a "known issue" and not solvable without a major fundamental change to Tor.

Further testing of PoC and tor code inspection shows Tor's OOM-avoidance is not as broken as initially thought. Specific circumstances are required. I do not know the frequency of the circumstances, but I suspect a non-zero number of relays are vulnerable.

Abuse of a Tor protocol as unintentional data-sharing channel

No PoC developed. Inspection of said protocol reveals capability as obvious.

Report responsibly to Tor security mailing list with encrypted email.

Meet with Tor developers to discuss. It's a "known issue" and not solvable without a major fundamental change to Tor. One Tor developer (not present on call) allegedly has a PoC.

Details

The following is the initial email to tor-security@, encrypted to my own key (and signed by it too).

-----BEGIN PGP MESSAGE-----

hQIMAyWiwi+HKtknARAAmelpn3PBPkTHKUGJy8RiXpaJryz6iTqjvjRmK4nuaLzq
vWuyYc7kUzaAFGf5mv9QBppgmehAKqT0elUFAeOo3EilZYKYJLt3qfg/M0ISNlt9
0WNmm7BTrCZRqrt2vuP+B86pGYhq5sBZld3rus04NsB4lON9Lcnps+FheuddY0in
0drKT7iFG/rcg/3P586FA1rd8GiBWv+bv9qDqSccIjjavA+kmtDUBuObgQhXmrXY
KDN+7RjoEftBV7c/0wQqLYA08faYKUkwe30TbPLWHNr/HeRTUE+ud53KO0ocqh4j
5MNBWOq3UrAaoMOw8Kwu87zU1RLQ3Cl2cgNmcytZbx9tDsLy/o1yXOw/AIit7yay
Nq4mbQewQcr8vw+tuzsvPJm1+VjgFkGhyH7VFD0bKbTVjmYExqInnWGZqe0OtzYC
sy6H8ZwA3g+ZXJIgfF1ljVbQaWJ5Ud3JnA7Drwfd3InTqjUJXe85VLpvkRziqTxl
r6o9vFxOW7+D8IBzyQbwz2O3wzWyUO7Je4nRcShOn9QbaGZauUdjjdfwnVqoQUw4
MmoLHsGDyCgjzUPG1cEcELsRzIBNvefZukuMQ5OqZnz19jO8j7RA8dAguCCuPrHj
0+Ypzwz9xDtgJ1lVnwYl23RhwroQoVQJNTX6bqyd43HbK+JCDNGLnoS6K97kfRDS
6wFmPA2pupMs7ftpeb7z+21oJafJJHOjs7xwiPt3dRhg3MvEqS+TzxoKhh/y23hO
F6xpQdJwKpQaAES3JpJqWzRtBSVzU3LMbbGfTc1Uq9t2h8RL4qkhOifTFqp1v8X4
2H81Y9dJ/hEck59D8T6AGiRhPq0IagEoozbX9KwX43njoHbSoYIdjQQcR0tkaM9Z
HgPkyvKiQxAmuJuSgMplurLDxXd6EoCPAfwT30PweNo1edMZ/5jGScmxKJl/PSuK
DcMkAo0Ls3+oAI+pyJM1M3mcm0yuMNu16Q0FWw+ntcsA/djh95zq/lF9iIMCxwjJ
v0LlIPiy/TZkLu4snTZK6rvb2P5XuBmi+KxNIqXEz4Q+ZcUJCcHumI2qZBOscpDz
tV8GGK6fJ0GOdvRICfuFccsE06HNeUhgZhJYj262t+60T3bUzYrfaOErhJhh5HU4
nFK7b/g/MyM5iTSX1lAvZGdIVZY1lpkaFu5+Bs+Q3OfcuNBKTLnSecWPwyDcym1d
XsP1+uHHgBLEGTLAZtDGkjRLljiJhlnXUN4yd8MIO9uyu4O9M9JNWqBBZ3g0jd0f
PYkG+JLCeo19wsHngPOKM6VxP2nCReX/DDFcZtTiq9o9xEQt7lLiFUAZ62uRSdDv
T0+Gm0XTt4SmoO6MHUTND7UwhKqLVtQ+KA7rot9BbMrhj6Xj/T4KL30oZifFBr3B
iQKuYZULCJ5c3lYmB4IeZTSOns5+u5p7J1v+wHYF8yAu5DrMnglLaBhKJAyGqAaO
R8dqIfyZq/i0pjPe4fq6aPsXzpFmWzHmAHUk7NKPDdAoCgFLpie+3T1bNdaHoShQ
SeTSuT1Cft76i2ItGvJIhVmMH952b/m3xQEoYtgYLMihpLr7e5K80EDEuFKInUeL
ItIjBuw9lG+TU+Nh/4ZO3AqFEExf+jXazZDv1pY671uG8mF00FTQPD6PsT2PTUkA
qpRCyvwqp18rf3iJvmZnQLzG7m3b9d85EYyyHrC0J5tkWEKgKnpCyO9jSEpCyWws
NdlQxa0KJzVALxyVaooKeDR1zFPiCoN1dCx5vHA0SCfWzSoIAftDsXXm5P5nL3M6
OtBtEfDKj6pgCeRRlIYbNciKdYwNazaLGfgna5J56CrtRxiYm84iRoQJqeonhfmQ
J4RiW+RVhqJmubWsfCEj4DvA2k+LhudJgTGAK2W6Aa0iX27uGcELf73VecLm6LO9
SxzHep4gKy9sbLREVNiF0Tbfwh1FYEhYwRwfeQR5Ietiqt+l1MrjnKoPuu1237+F
92sejg09/XhM83UWBj4TLsz2OQqZWcyiFnM1O2o1Co/JyyMJK1ulrFLPST/Ixnq6
5Co6XDUVcBu6hFwTs9xQbbD1dbU0HUz+wdASLNUnfmynS2aVCS7Um7cRzrWBME73
eh7fsnJvXBnfLiLB+oe3ob2kq8WC3BW9eKXd8VaKcylMU8V8ljkcvD1rheAHWUk/
l3Koygcu3Gb4r43rG0oSu2XtyNwk7RPeD5eMPitPsHHSgsslJ/QCTmDrhA5IHlt8
Y0uIHbulZaxWVLJfLQb0xXkcavWqhNGntP2cVYY92RMdd4dmTltMAzZvatkdBER4
jBDDkzD+x2P8bZnbuomrKo8LFLoIIbeSo80SyB8cA/Xt1pnjRJlRz9NWEw7DhyEl
cRiwoM+9dcgMhSwGcKOPJxVDSTN77X4haxt+QExyJ8PAXg3iJMjCdbWqL8tf9sml
J5p3J3/sAjeo9/3LamVwhL1BXSAPZH2zmcCibo9zkuJxUnV56NOQttz0ZTU4KzkP
O7/n+MfjGnqte/6KFrT8c+rx0Kt7U8+zM1LqhBBOl3eJjVI+szcwPOK4P0yk+EtR
XLfUK3NC/2Gpq0TN1IasIwcQz2t6wHKhwvAv6Ax95Y8+4yS0aGlQ5rz5DdeUKcPC
1aFm/3CqpZdi7H5V4SZfSVdTDzuKuwEjWgnqRDRpzzDSXA/sWeLAAymoIGWShKJh
5bLuU2N2KmonSGp9r/5/JTvxEYiMKdLoTQTwxg4GHZL1lwbIMuNS61G/h+JWnyOt
7BNAKyPf3hZICQMHfj+1aunO8B+I54Jd/2kK8/Xz7NAAdQ33UUWQ2JuhyY+wLVl1
vBcCEJ1LGpK0L1ES3GS6Nuekb7yzgUXbDj5giZovWIBGT+7CJ3SA1njXyrqi756K
N+b+VVw3suGIUK1znHECHvNuAniTjDBdJtSiERD1g+N0vPOoi+UhdpoCWqGWupXK
FnBPefq2+w+NmtsVP+u2F6b0TuHNhwF9YCFpxMVWAIEKTZRTMQ1Hw9P3wHyS9eNV
EDG52iEYwH6l6ZUjgeePuEx1vUOrbNBQgYu6sB4OfFsrkNilkLfYG/ylQsjuNfbm
KF9bjh2DCtoEkIqSEMAvbsprEeG+ZbwRuO8hJxUC9A8PPhcfWIjXwBDg/9UpS7gh
8ijeczPPHn61i1sml+U4d8MqIKvajb8sYcc4sHr1TWk9CPlZzmfenLH+UnknfhZw
ddT10AXFQrne9lX+9+/Wq9/YBRRslvv+h2k6wlDIWt1hIuX4ZtZR43Jd9YPzvoF7
KEtK4abQXtpZT/lAXqNgfaFsEz2aMqvmmBBFxODG9IQGVIbNsSe672OZZsGIBMXq
92hC+gQCtbEEf2Dy1QIa5o1u0qVTt2n5CiTMme6oHbPaGPkBDMAH3nN286WgTYPn
oDibmb8ezxL73cIdilg9MJzDoYU5qC+NT+EoPqzALht/NXtyZqghk+aK+ezy7T9E
XXVoNa64PV6Yc1+UU/+QUiMjBmX8az8mmeg2Yo8d8KbFYG2S13fO
=s7J/
-----END PGP MESSAGE-----

Here is a follow up response detailing why the first vuln isn't as bad as I originally thought.

-----BEGIN PGP MESSAGE-----

hQIMAyWiwi+HKtknAQ//byRFFfpVKC9J1N7PEKuYPkB+lKiEPL1Z9p2eINlbP3/a
kqOhvkLUsodW3AonH3HKUhXimIJET8w99IAu56awtYsrT6W2PSmAui5Rc8ofbWhO
8M0axf41qujstMkKOTqgm0xWpRxQbBs7zCQKrTtwc84IJ8iukPdY7JOSWgrSvc0E
Zp5ss3CXAIO674YCUbQIuoZ0HpeJp96P4cczrFXbhzJa/tRzr+Kbz7Gi6J5URZuX
NsYoS1h7PFrS74up9LpVG6djj585tPXZWsyulNcWRVqJYZW2Iu3muwJqyEd/3GOY
B9vwFgQo++eCCjLvxfbjUSCqtL0cXBSeSwbraJ6PvUgK38Y6Ra803gsaW3xIBDzo
vb17NSSmVt9DHwuEbTbN3/Rfg8/53AsXT/7D6l+2r2FAkpXhQ/1j8qQPtESz4iCT
X7ZeUw2Y1BNWeHXx5KH1SLCAqpbyb+c4LglUThFQAt7vdyNUgR/ph7IakQ8MJA9a
Ej59wsYPY0NveqiPExYJ8reLolrLRAfjeFlCN4adMs8yRX8Pxg93AJT+t1fAnzTx
tLFPo6zDAMQVPJFKCSkI5nLRm6YZ1yoCVxCIeRekje8LI1KMHD5Hzv4T7+1sRExj
9gtyfQtbDtkt7Q2aFwL+xIoYllOshbZhShTlMOdIIoOmKiugRsRbu78cz9hrkcrS
6gGrQZ7zEktObSH5ScsrLYTyqbcBDchYEz6NSIkIG91qBlkf1lUJzBomizcFiEb/
603F6UnrO/xTLn0M5x7vcysbusPdS7GSqNoY71sBK3NDS7ekM/NPT0F4c4LmvVgD
Qsbdxxvn8d5qdzKeRwiyazpHdD1WlTOx5LVHnAmSht0pgQ95U5PZALQ+qdkOihi1
nHtX3QirqqnIroM6J30K47DzsTuaUnaOeq4wO4T49cMndj+ey6wzXp3IQdru1LH4
vA3bRYcmwGF6+8OL98bBp5UeJY2qXsYP/avteXKzKMii1/VI60mhzJVWHASR/CK5
OJps4ecV2y96PJuXiGegu397YGEVYRZxnJW43JuhR9JTFg0DH17wslswlPiFmliQ
B/FsVRPcGFJqW55tJ1lM06AtoPBAsxQRyA6+GLjEFc/h1QnPusahTSZNhKBGtveZ
UefdavHG1CnSGGr2u3IxxMWuWw/+6Va5c+4oodlVrH2ZgouQc1Uc0yu71S7y3xFs
gxbcCLN6qtzhAtFJRUFwrFaerG2fggckeQrLCkM2op5WtoCMWbVfJLVis9aA/Pjz
fWfkwFHyUDDlBKimdIURTETfsu6+4ud88fYsd+jKwVa5I/OcZpf9DLAmoWqKPIAD
4hKTezj6dfhn9RVjaqi77nmfOHWDiwMmLaG3AJoX2SbIjv4P4RHbUgQt42cB7Uh4
IMFaaqAUF7dx/4nllbWHt+H7sXOGVsXQHHVXa3j+MSSLP7td4mCqQYEbS9Onu41X
acDvzwdvXbY6K4VnwKr9zq/iEKjFHRZyXrxTRDjDMbhAZ60nB6pOoqHM8IAb1Dsi
QkZw09fj0fK3eg9TBf2xtVw8G2TS6+ENyG56kXmGQjkKjx/p/G4IMgCnxNjKn1pi
5iv4UeJmLrLZDSrNLbIg3PiEx7prpa2yEpE1uKyDEmMlVz906j77c5nzoczNFm5Q
tbvSfpMII48LTOa2GGJhpehoVdBCZNFI3GfAbmK2ULOxxQLIbKDq6isCW5D9pSMl
9VQ6CwyDfiMSfMseh3NroSlUxSGYnwcABgF1eqXknuj6u71fR0ku1ermSnmADdZw
HiG0rJfsi7qsCr9yZXjAKyhsiOUXyR/zN0F4ZS1DsXscLyKpeezLGyuWDc+0hgLV
waseTFliKBMOTh2vuyqzBSUjJTiQycLLlEHrK54sxM2rSIkQ3Ph0qpuNMilftFUy
iJXLW/zKSz0q9Ujrb1vS/PgNar+xhHdFhOfy8oMRI8shRe1Z5CflGXiXyd5M1nlu
yZSvxwSzz0hZ/V3tJjVOJ6yxGReKDnv1RhhXGFkIYFPd3OejJJILFvnrbm4BBH8t
E8oGmTz/HS296hsh+UbSjr7BDoWTdFK35LFlAC7A8nWB1+jWscGYgMNL/f0FFshF
JCavJsqwgjQrkz7IuBLmB/Ogb0mZiiOM/3CFmUYGng4dIeO0crrV90VNUCAi5KJX
7hgTfPmDKtErLgUsRstQbVN37128BLBglshgWhVE0mNN9aa/EPqQtiOJ/CSUKJj9
ht1qaAN7NlEiwAFjEh5+1NsBjNk9zlKBEaT3Ug+r7inLx2oxBTuq5Uyjx2doDXiU
F+VMHVsANJYF/3qbJQIcKj6hDxiqX07qH7shQVAYdPTZhr9ozjiwsbhxnlk/ma46
sxSwL+ZUlqOWXp3cBgUSdaUWcj93sY2w7rVmNDaK3M5G9fCyXaFAcVXxDCX3nXTn
/P2b604c/YSEuhfT2eoBkFbmgfKX+fILM9cO0s+eRI9PupyiyplaERc9wj6QSyv1
akAo3OO3dwZlbieJyhHe92ACTTxcnbe7KSF2GiBTMQGjcqGVCyYDB/2H4yDU98ii
lHaWu0BDh0ZBWeon7jhS6xOwrRRnOQ3dGbhoJHUnazAy8iy1ElPJVKDFqQLaS6U0
7BrBTHxlYCUYz6qS9rnYS3CV3eJSbeGTDsRIx/FugKjSPg8t4o8nSNFyDJNvmpQ3
+g==
=2tYN
-----END PGP MESSAGE-----