CVE-2007-4174

Tor < 0.1.2.16 - Unauthenticated Configuration Modification via ControlPort

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-4174. PoCs published by elgCrew, anonymous.

AI-analyzed exploit summary This exploit targets Tor versions before 0.1.2.16 with ControlPort enabled. It rewrites the torrc configuration file to log debug output to a startup script (t.bat) and injects a malicious ExitPolicy command to execute arbitrary commands (e.g., calc.exe) on the next system boot.

Description

Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.

Exploits (2)

exploitdb WORKING POC VERIFIED
by elgCrew · htmlremotewindows
https://www.exploit-db.com/exploits/4468

This exploit targets Tor versions before 0.1.2.16 with ControlPort enabled. It rewrites the torrc configuration file to log debug output to a startup script (t.bat) and injects a malicious ExitPolicy command to execute arbitrary commands (e.g., calc.exe) on the next system boot.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tor < 0.1.2.16
No auth needed
Prerequisites: Tor ControlPort enabled · Victim must visit the malicious HTML page or have it injected into their traffic
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by anonymous · htmlremotewindows
https://www.exploit-db.com/exploits/30447

This exploit targets Tor's ControlPort vulnerability (CVE-2007-4174) by injecting malicious commands via JavaScript to rewrite the torrc configuration file. It enables debug logging to a startup script (t.bat) and injects a command to execute calc.exe on the next system boot.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Tor < 0.1.2.16 with ControlPort enabled
No auth needed
Prerequisites: Tor with ControlPort enabled · Victim must visit the malicious HTML page or have it injected into their traffic
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25188
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36407
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018510
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35784
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2768
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/36271
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26301
Various Sources mailing-list x_refsource_mlist
http://archives.seul.org/or/announce/Sep-2007/msg00000.html
Various Sources mailing-list x_refsource_mlist
http://archives.seul.org/or/announce/Aug-2007/msg00000.html

Scores

EPSS 0.0621
EPSS Percentile 92.6%

Details

CWE
CWE-264
Status published
Products (15)
tor/tor 0.1.2.1 alpha
tor/tor 0.1.2.2
tor/tor 0.1.2.3 alpha
tor/tor 0.1.2.4
tor/tor 0.1.2.5 (2 CPE variants)
tor/tor 0.1.2.6 alpha
tor/tor 0.1.2.7 alpha
tor/tor 0.1.2.8 beta
tor/tor 0.1.2.9
tor/tor 0.1.2.10
... and 5 more
Published Aug 07, 2007
Tracked Since Feb 18, 2026