Firefox Zero-Day Can Be Used To Unmask Tor Browser Users

An anonymous reader quotes a report from Computerworld: A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch." On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows." Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post." He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.

headline resummarized: Tor!=Panacea

[rectalfeeding]

Any tor utilizing application's zero-day bugs can be used to unmask that tor utilizing app's users.

Re:headline resummarized: Tor!=Panacea

[DarkOx]

Right, at the very least you need to install a perfectly clean VM taking all the default install options on the OS so you don't do anything that might be identifiable or make it more unique. Make sure you do not enable any of the host integration stuff, no copy paste, don't install the VMware tools, ensure all the host isolation stuff is on, don't even allow the power status or system clock to the VM. Only then do you install tor. After that take a snapshot. Be sure to revert to that snapshot each and ever time you use the VM before you do any tor browsing! Start over and make a fresh build every few months as you can't trust upgrade processes won't leave something finger-printable and using a browser even a few months old might separate you from the masses somewhat now that most of the world auto updates.

If you do those things you *might* have a fighting chance of actually remaining anonymous.

Re:headline resummarized: Tor!=Panacea

Right, at the very least you need to install a perfectly clean VM taking all the default install options on the OS so you don't do anything that might be identifiable or make it more unique. Make sure you do not enable any of the host integration stuff, no copy paste, don't install the VMware tools, ensure all the host isolation stuff is on, don't even allow the power status or system clock to the VM. Only then do you install tor. After that take a snapshot. Be sure to revert to that snapshot each and ever time you use the VM before you do any tor browsing! Start over and make a fresh build every few months as you can't trust upgrade processes won't leave something finger-printable and using a browser even a few months old might separate you from the masses somewhat now that most of the world auto updates.

Or you can skip all that bullshit and just boot a TAILS CD.

Re:headline resummarized: Tor!=Panacea

[TheCarp]

That is not the very least. That is a whole bunch of extra work when entire distributions exist just to obviate the need for this. Take a look at tails.

It is, of course, recommended to put it on a usb stick and clean boot hardware off the stick to use it; however, there is nothing stopping you from bringing it up in a VM if you are ok with the trade offs.

Accomplishes the same thing, for less work, and with a much larger already setup base which will be identical to other users, in ways that increase the work of differentiating you from other users.

also, it is possible to jail an environment better.... What you really want on you VM is to jail it onto a network segment with no gateway where its only connection to the outside world is a tor client on a second VM.

Which i care enough to state, not enough to even setup for myself. I have a few tails sticks for the few things I really need a secure environment for....so far that means mostly for times I want to drop off the network entirely in order to work with key generation.

Re:headline resummarized: Tor!=Panacea

I've always wondered what would get returned from tails as a mac if this exploit was used on tails with the mac changer option.

Re:headline resummarized: Tor!=Panacea

[DarkOx]

I am sorry I can't agree. There are going to be ALOT more people running a stock Windows 8.1 or stock Ubuntu than any of the 'privacy' distributions, all of which almost certainly can be finger printed. If you want to blend into the heard I would certainly pick on of those two platforms.

I like the idea of running tor an a separate VM from the one you do your browsing on.

Re:headline resummarized: Tor!=Panacea

[TheCarp]

> I like the idea of running tor an a separate VM from the one you do your browsing on.

It is a proxy and most of the attack vectors attack the end client, not the network itself.... the tor client needs internet access, the client behind it can only harm itself with direct acces.... so don't give it...not even dns, nothing. Just port 9050 alone and only one responding IP.

Maybe drop another interface on there and log all the non-port 9050 traffic as well :)

Use NoScript

Use NoScript and forbid scripts globally and this will mitigate the exploit.

Re:Use NoScript

[sims+2]

IKR having scripting turned on by default is one of the dumbest things they have ever done.

I remember back when it was disabled by default and they said not to turn it on because it was a security risk.

Re:Use NoScript

Not only that, Mozilla then removed the option to turn off Javascript from the UI and buried it in about:config.

Re:Use NoScript

[acrimonious+howard]

Use NoScript and forbid scripts globally and this will mitigate the exploit.

Or I think uMatrix will work? (howto)

Re:Use NoScript

[AHuxley]

What does a whitelist do per site with the code?
Does the code run from the whitelisted site visited or its on a third party site that expects a browser to allow it to work?

Re: Use NoScript

whitelist is only for that adress so ecen with ads you can white list trusted sites and not all there remote crap

Re: Use NoScript

but that is not proper tor usage only usage with normal browser usage. do not disabe it in tor browser https can hide to to an extent in the middle.

Re:Use NoScript

tbh, these days I set up everything straight via about:config

Mostly because I need to access it anyway for half of my settings.

Re:I don't understand

[lgw]

What does this have to do with Trump.

They should change this site to trumpdot.org!

Hey, that's not fair. Only half the stories are Trump-bashing. The other half are Facebook or Reddit bashing.

Re:AMZN getting into FREE email like gmail

[sims+2]

What?! where?! I want an @amazon.com

Firefox Zero-Day Can Be Used To RUN CODE

[WD]

The bug can be used to run any code of an attacker's choosing.

Re:Firefox Zero-Day Can Be Used To RUN CODE

[AHuxley]

Whats the origin story? Gov code used by gov/s again? Or old gov code thats been found and been reused by someone/anyone?

Re:Firefox Zero-Day Can Be Used To RUN CODE

[zifn4b]

The bug can be used to run any code of an attacker's choosing.

Funny thing about this, the security conscious IT department of the company I work for insists that we all ought to prefer Firefox yet all the developers for the most part use Chrome. Bwah hah hah hah.

Windows and Javascript

Again a Windows and javascript explot. Use linux or bsd, and disable javascript from the config.

Re:Windows and Javascript

I know for a fact that this exploit works for linux as well, same info too: username, hostname, MAC address.

Re:Windows and Javascript

[gravewax]

This exploit is OS agnostic retard and if you bothered to read the article you would know that.

Re: Windows and Javascript

all those can be masked or brodcast and but if it can get through a channel that is no thats another story ie malware or other means.

Re:Windows and Javascript

"This exploit is OS agnostic retard and if you bothered to read the article you would know that."
And if you had read the article carefully, you would have found that while the underlying bug is OS agnostic, the attacker only bother to write an exploit for windows.

Re:Windows and Javascript

[RuffMasterD]

Calls to KERNEL32.dll are OS agnostic? Fuck me sideways!

Re:Windows and Javascript

Wait until the next version of SystemD comes out.

Then calls to kernel32.dll will work on Linux, too.

Re: Windows and Javascript

TBH if you don't build your own OS from scratch, you probably shouldn't be using a computer.

Re:Windows and Javascript

Well no. If you put x86 (or x64) machine code in a variable and treat that variable's pointer as a function pointer and don't call any OS specific API from said machine code, it'll work just fine on Windows, OSX, and Linux.

At this point, you can directly interface with hardware rather than using the OS to do it and (for example) ask the Wifi device what its MAC address is. Then you return that value.

The only way to get a browser to inadvertently treat a variable as a function is to exploit a bug of some kind. That's the hard part.

Fixed even before this story got published

[Giorgio+Maone]

Great work by Mozilla and the Tor Project on the lighting fast (

And yes, NoScript did protect against this (the Tor Browser has it built-in, for users who know what they're doing).

Re:Fixed even before this story got published

[WD]

And yet the fix that they chose to implement STILL causes Firefox to crash. Just not in an exploitable manner. Seems kind of non-ideal to me.

Re:Fixed even before this story got published

You're always welcome to submit patches yourself. -PCP

Re:Fixed even before this story got published

I would prefer a crash over an invisible hijacking.

Re:I don't understand

[Highdude702]

Don't forget to add the Linux bashing in the process. This place is becoming a "Safe Zone".

Re:I don't understand

[FatdogHaiku]

What does this have to do with Trump.

They should change this site to trumpdot.org!

Hey, that's not fair. Only half the stories are Trump-bashing. The other half are Facebook or Reddit bashing.

Geez, way to feel Microsoft marginalized...

tor huh

how about tor through a highly custom built and configured elinks. depends on your uses but hey.

Re: tor huh

who said i was doing anything illegal

Re: tor huh

If you need tor, you're doing something illegal or that you know is wrong. There is simply no other reason, sorry. I know you picture yourself as a brave lone warrior fighting for freedom or justice, but it's not the case. You are just one citizen among many, nobody is going to hurt you if you're not doing anything wrong. You can persist in those quaint fantasies and wake up one day all alone and miserable because of your paranoid delusions, or you can be part of a community. Forget about tor. Computers are a tool. The internet is just another way to communicate. The rules of civilized society apply everywhere. Take your meds. Everything's all right.

Re: tor huh

If a significant amount of people use tor for mundane and legal stuff, it's going to be more difficult to ban. They cannot use the "only people doing something bad will use it" argument then.

Oh, why am I bothering. You just used that very argument.

Re: tor huh

[RuffMasterD]

And yet you post anonymous. Because you don't want anyone to link what you say online back to your identity. Go right ahead and lead by example AC.

Re: tor huh

Is this the blue pill your talking about. One of things Ive been noticing is that the civil institutions of the press and the legal system are under assualt, they are the ones being snooped on. Interference in these two realms by snooping governments undermines the ability to correct inbalances and overeaches. The thing is focusing on the government only also misses the interference that corporations are increasingly able to bring on the population. There is a definite assymetry between the amount of information people give to corporations and the value they receive from it.

With $MY_FAVE_LANG that wouldn't have happened.

Insert fanboi talk "it's because C. With (Rust|C#|Smalltalk|Forth|Brainfuck) this wouldn't have happened.

The real bad idea is, though, that the browser has become the OS whithin the OS, trying to replicate, badly, what the OS has learnt, barely, in the last 35 years. On top of that it's supposed to download random and sundae bits off the internet and execute them on the user's computer.

Re:I don't understand

[imadeyoureadpoop]

What does this have to do with Trump.

They should change this site to trumpdot.org!

Finds a non-Trump article on Slashdot, complains about how everything on Slashdot is related to Trump.... Well you're not technically wrong, you're just stupid.

Relevant sig

Don't use the Tor browser on a darknet!

[GameboyRMH]

It probably seems crazy to tell you not to use the official darknet browser on a darknet, but sadly the Tor browser is the top attack vector used by law enforcement against darknet users. It's the biggest target by far. You have to roll your own darknet browser. It's a PITA but otherwise, every exploit in the TLA's books is going to be aimed at you. Also it should go without saying that your browser should be running in a Linux VM whose state is discarded on shutdown, and ideally you should have a firewall setup that blocks all outgoing traffic not going to the darknet proxy address.

TOR Exploit on VM?

Help me out here nerds:
Can't the bug be mitigated by running TOR from a VM?
If the VM talks to the Hypervisor via some 10. address how can the browser give up the real (ISP-issued) IP if it doesn't know it?

Re:TOR Exploit on VM?

[b0bby]

I may be totally wrong, but iirc the previous exploit tricked the browser into visiting a non-tor site controlled by the FBI which then collected the information.

Re:TOR Exploit on VM?

you just invented whonix

now you just need a time machine!

Re:I don't understand

[zifn4b]

Hey, that's not fair. Only half the stories are Trump-bashing. The other half are Facebook or Reddit bashing.

I know right? I'm appalled by this, it is discrimination! There should be mandatory bashing quotas to ensure that all bashing is fair, equitable and evenly distributed. No favoritism! Equal rights for all!

this is not zero day

its zero months
have a nice day

Solution

Don't use mainstream Tor, it's the one that gets attacked the most. Make your own with another browser (Lynx, anyone?) and just use the network.