Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln
Updated Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Tor Browser is a repackaged version of Firefox that runs connections through the anonymizing Tor network; it's supposed to hide your public IP address, and the exploit is designed to leak that potentially identifying information to persons unknown.
The exploit was posted by an anonymous user of the Sigaint dark web email service. That mailing list message said the flaw is being used right now against Tor Browser folks.
"It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there."
"So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine noted.
Whatever was behind that IP address is no longer responding to connections; it appears to have belonged to an OVH-hosted virtual machine. The 2013 payload was used by the FBI to decloak Tor-protected suspected criminals. ®
First off, it's a garden variety use-after-free, not a heap overflow, and it affects the SVG parser Firefox.— Dan Guido (@dguido) November 30, 2016
As far as exploit techniques, this is a routine UAF that heap sprays a controlled object to kick off a ROP chain. Pwn2Own 2012-level tech.— Dan Guido (@dguido) November 30, 2016
Updated to add
Tor Browser 6.0.7, Firefox 50.0.2 and Firefox 45.5.1esr have been released to fix the exploited vulnerability. ®