This article is more than 1 year old
Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln
JavaScript smuggles malicious payload into PCs
Updated Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor.
Tor Browser is a repackaged version of Firefox that runs connections through the anonymizing Tor network; it's supposed to hide your public IP address, and the exploit is designed to leak that potentially identifying information to persons unknown.
The exploit was posted by an anonymous user of the Sigaint dark web email service. That mailing list message said the flaw is being used right now against Tor Browser folks.
"This is a JavaScript exploit actively used against Tor Browser now," the author wrote.
"It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there."
The exploit was lobbed at Mozilla's security team, which has studied the code and located the programming bug attacked by the JavaScript and SVG. It is working on a patch, Tor Project lead Roger Dingledine said.
"So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine noted.
Early analysis reveals the payload has striking similarities to a separate Tor Browser spying tool that emerged in 2013. According to reverse-engineering efforts, it appears once this latest x86 code injected by the JavaScript is running within the browser, it phones home to 5.39.27.226 on port 80 and sends over the machine's information.
Whatever was behind that IP address is no longer responding to connections; it appears to have belonged to an OVH-hosted virtual machine. The 2013 payload was used by the FBI to decloak Tor-protected suspected criminals. ®
First off, it's a garden variety use-after-free, not a heap overflow, and it affects the SVG parser Firefox.
— Dan Guido (@dguido) November 30, 2016
As far as exploit techniques, this is a routine UAF that heap sprays a controlled object to kick off a ROP chain. Pwn2Own 2012-level tech.
— Dan Guido (@dguido) November 30, 2016
Updated to add
Tor Browser 6.0.7, Firefox 50.0.2 and Firefox 45.5.1esr have been released to fix the exploited vulnerability. ®
Biting the hand that feeds IT
