On 11/30/2016 08:20 AM, Georgi Guninski wrote:
On Tue, Nov 29, 2016 at 06:16:44PM -0600, Shawn K. Quinn wrote:
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Does this do anything against non-Windows systems?
The exploit appears windoze only, but likely the bug is alive on other OSes, so the sploit can be ported. It appears "use after free":
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_da...
In <https://news.ycombinator.com/item?id=13066825>, schoen noted: | The underlying vulnerability has to do with a memory corruption | of some sort in Firefox's SVG rendering, which is a code base | that is shared across platforms. So probably an analogous memory | corruption exists on other platforms, because it's compiled from | the same C++. While it's possible that it's not exploitable | outside of Windows, there is no specific reason to assume it | won't be. | | But the exploit here with the ROP chain, calling Windows APIs, | etc., is apparently Win32-specific and doesn't have binary code | that could run successfully on other platforms. | | The setup for the exploit is apparently primarily in the | Javascript function craftDOM() which makes some SVG objects and | modifies some of their properties, presumably in a way that | triggers an underlying bug in Firefox's SVG support. There is | also a Win32 object code payload in the string object thecode, | which would not be able to run unmodified on another platform. | Also, the ROP chain code is likely to be Windows-specific in | several respects. Indeed, the statement | | throw"Bad NT Signature"; | | seems to be actively giving up the attack if it detects a | non-Win32 environment.