find way to have Tor ephermal hidden service using applications in Whonix-Workstation bind on all interfaces
Closed, ResolvedPublic

Description

For example onionshare binds its webserver on 127.0.0.1.

That cannot work because it needs to bind on the external IP.

Approaches:


  • a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

  • b) Some solution using bindp.

    BIND_ADDR="10.137.6.41" LD_PRELOAD=/home/user/bindp/libindp.so onionshare a

(tested to work)

Not great, not generic.


  • c) An iptables based solution that requires net.ipv4.conf.all.route_localnet=1.

What are the security implications of net.ipv4.conf.eth0.route_localnet=1 / route_localnet?
http://security.stackexchange.com/questions/137602/what-are-the-security-implications-of-net-ipv4-conf-eth0-route-localnet-1-rout

https://www.whonix.org/wiki/Dev/Port_Redirection

Not great, not generic.


  • d)
socat TCP-LISTEN:17600,bind=10.137.6.41,fork TCP:127.0.0.1:17600
  • Loads of socat listeners. At some point they could even eat too much RAM if they become too many.
  • Could be made conditional by only loading these listeners if onionshare is installed. (Not great when installed inside template and not all Whonix-Workstations use onionshare.)
  • EDIT: Perhaps not that many socat listeners by using systemd socket activation.
    • related: port anon-ws-disable-stacked-tor to systemd socket activation T623

  • e) something better?

http://unix.stackexchange.com/questions/311492/redirect-application-listening-on-localhost-to-listening-on-external-interface


(EDIT)

  • f) write draft for local listener standard on debian-devel T635

Details

Impact
Normal
Patrick created this task.Sep 30 2016, 1:23 AM
Patrick updated the task description. (Show Details)Sep 30 2016, 1:29 AM
Patrick updated the task description. (Show Details)

a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

Won't happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.

b) Some solution using bindp.

I decided to go for that solution since the other solutions aren't looking feasible/great. bindp has been packaged by me, automated as wrapper and added it uwt. Will git push it soon.

Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it's just 5 lines of make and 100 lines of C code.

https://github.com/yongboy/bindp

I managed to enable Debian packaging compiler hardening flags. Output of checksec looks "quite good", "almost all green", besides the stack canary field. (Better than most libs in /usr/lib/**.so.)

checksec --file libindp.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   libindp.so

As you can see, just the stack canary is missing. Is that a huge isssue?

Compilation during package build looks as follows and shows a warning.

gcc -nostartfiles -fpic -shared bindp.c -o libindp.so -ldl -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now
/usr/bin/ld.bfd.real: warning: cannot find entry symbol _start; defaulting to 0000000000000660

Is there anything concerning about that?

Patrick changed the task status from Open to Review.Jan 10 2017, 10:08 AM
onionshare support
package bindp
uwtwrapper_verbose
uwt rewrite
code simplification
refactoring

https://github.com/Whonix/uwt/commit/f3688a6813abe82597399da5bf05f0bca7771ff8

In T561#11317, @Patrick wrote:

a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.

Won't happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.

b) Some solution using bindp.

I decided to go for that solution since the other solutions aren't looking feasible/great. bindp has been packaged by me, automated as wrapper and added it uwt. Will git push it soon.

Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it's just 5 lines of make and 100 lines of C code.

https://github.com/yongboy/bindp

Generally it looks ok. The only issue I see is it replace address in all bind calls - even those with different address family than AF_INET. In that case, address structure may be different (and also have different size) and strange things may happen. If a particular application use only AF_INET binds, it should be ok. You can check with strace and grep.

I managed to enable Debian packaging compiler hardening flags. Output of checksec looks "quite good", "almost all green", besides the stack canary field. (Better than most libs in /usr/lib/**.so.)

checksec --file libindp.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   libindp.so

As you can see, just the stack canary is missing. Is that a huge isssue?

Not a huge, especially as the library doesn't deal with any dynamic sized structures on stack (maybe that's why gcc didn't put stack canary there, even with -fstack-protector-strong?).

Compilation during package build looks as follows and shows a warning.

gcc -nostartfiles -fpic -shared bindp.c -o libindp.so -ldl -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now
/usr/bin/ld.bfd.real: warning: cannot find entry symbol _start; defaulting to 0000000000000660

Is there anything concerning about that?

My guess: missing -shared option. Not a big problem.

Removed from uwt and moved to its own package.

https://github.com/Whonix/bindp

Patrick updated the task description. (Show Details)Feb 20 2017, 10:09 PM
Patrick closed this task as Resolved.Mar 7 2018, 12:08 AM
Patrick claimed this task.