CVE-2018-25022 in toxcore
Summary
by MITRE • 12/13/2021
The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2021
The vulnerability described in CVE-2018-25022 resides within the onion routing implementation of toxcore version 0.2.1 and earlier, specifically affecting the Onion module. This flaw represents a significant privacy and security weakness that undermines the core anonymity features designed into the Tox protocol. The issue stems from insufficient validation of packet routing permissions within the onion routing system, allowing malicious actors to exploit the distributed hash table (DHT) structure for IP address discovery attacks. The vulnerability is particularly concerning as it enables remote attackers to deanonymize users without requiring any special privileges or credentials beyond knowledge of a target's Tox ID.
The technical exploitation mechanism relies on the attacker's ability to manipulate the DHT network topology to position themselves strategically near a target user's Tox ID. This positioning allows the attacker to intercept and manipulate onion routing connections that would normally be established between legitimate users. The attack specifically targets the NAT ping request functionality, where an attacker can create a DHT node with a public key that is mathematically close to the target's DHT public key. Through this proximity, the attacker can successfully onion-route a NAT ping request to the target user, effectively forcing the target's client to attempt communication with the attacker's node, thereby revealing the target's IP address. This technique exploits the fundamental assumption that onion routing should prevent such direct IP address exposure.
The operational impact of this vulnerability extends beyond simple IP address disclosure, as it fundamentally compromises the anonymity model that Tox was designed to provide. When an attacker successfully executes this attack, they gain the ability to map Tox users to their actual IP addresses, which can be used for further attacks including targeted harassment, surveillance, or social engineering operations. The vulnerability affects all users of toxcore versions prior to 0.2.2, creating a widespread security concern within the Tox ecosystem. This type of attack falls under the category of network reconnaissance and can be particularly dangerous in environments where user privacy is paramount, such as in activist communities, whistleblowing networks, or any scenario requiring strong anonymity guarantees.
This vulnerability maps directly to CWE-200, which addresses "Information Exposure," and more specifically relates to CWE-350, "Improperly Controlled Modification of Dynamically Determined Value," as the system fails to properly validate routing parameters. The attack pattern aligns with ATT&CK technique T1071.004, "Application Layer Protocol: DNS," as the attacker leverages the DHT protocol to manipulate network communications. Additionally, it demonstrates aspects of T1566, "Phishing," in the sense that the attack requires positioning the attacker within the network topology to create a false sense of legitimacy. The vulnerability also reflects issues related to T1592, "Obtain Capabilities," as it allows attackers to gain capabilities they would not normally possess within the system.
The recommended mitigation strategy involves upgrading to toxcore version 0.2.2 or later, where the onion routing module has been enhanced to properly validate packet routing permissions. The fix implements stricter checks on which packets are permitted to be onion-routed, preventing unauthorized access to the DHT routing mechanisms. System administrators and users should also consider implementing additional network monitoring to detect anomalous DHT behavior, though the primary defense remains the software update. Organizations relying on Tox for secure communications should conduct thorough security assessments to ensure all instances are running patched versions, as the vulnerability can be exploited by anyone with knowledge of a target's Tox ID without requiring any special privileges or access to the network beyond standard participation in the Tox network.