Code, security, and related things

Tor hidden service operators: your default Apache install is probably vulnerable

29 January 2016

Update (1 February 2016):
Riseup has a very detailed guide on securing hidden services that mentions Apache leaks.

I'd also like to clarify something based on people's feedback. I know I'm not the first one to write about this issue, and I should have made that clearer. I recently learned that, among others, @CthulhuSec has brought this technique to light in the past. I respect Cthulhu's work and have no interest in diverting credit from him (I also had no idea this would get the coverage that it did).

TL;DR
If you run a Tor hidden service for an Apache server, make sure you disable mod_status with:
$ a2dismod status

On most distributions, Apache ships with a handy feature called mod_status enabled. It's a page located at /server-status that displays some statistics, like uptime, resource usage, total traffic, enabled virtual hosts, and active HTTP requests. For security reasons, it's only accessible from localhost by default.

This seems fairly reasonable, until you realize the Tor daemon runs on localhost. Consequently, any hidden service using Apache's default config has /server-status exposed to the world. What could a malicious actor do in that case? They could spy on potentially sensitive requests. They could deduce the server's approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present.

But this shouldn't be too much of a problem. Surely people who have taken the time to install an advanced web server and configure a hidden service for it have thoroughly read the documentation and disabled the offending module.

Or not.

I've discovered several such exposures over the last six months, reporting them wherever a contact was provided. And it's not just static pages or small personal sites that are vulnerable. Even sites where user privacy is absolutely imperative show negligence in this regard. Toward the end of 2015, I found a popular .onion search engine that had failed to disable the status module. As you might imagine, the result was not pretty.


(Session IDs and most distasteful searches redacted.)

I reported the flaw, and it was fixed within a few hours. A fine response, but it shouldn't have been necessary in the first place. It's a little ridiculus that such a basic server misconfiguration could be so dangerous. Forget 0days, traffic analysis, and crypto attacks; it's simple mistakes like this that bite the hardest.

So, if you run an Apache-based hidden service, verify that mod_status is disabled by going to http://your.onion/server-status. If you get any response besides a 404 or 403, open a shell on your server and execute:

$ sudo a2dismod status

That one-liner should take care of the issue.