New Firefox/TorBrowser 0day in the wild
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it." https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html -- Kind regards, Ben Mezger
Thanks Ben but don't use it - prefer hide plain site -------- Original Message -------- On Nov 29, 2016, 2:57 PM, Ben Mezger wrote: "This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it." https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html -- Kind regards, Ben Mezger
On 11/29/2016 04:57 PM, Ben Mezger wrote:
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Does this do anything against non-Windows systems? -- Shawn K. Quinn <skquinn@rushpost.com> http://www.rantroulette.com http://www.skqrecordquest.com
I guess not, I am not sure, but it looks like it's a Windows only exploit. Wait for Firefox to release an update and prevent using Firefox for any activity meanwhile. On 29/11/16 22:16, Shawn K. Quinn wrote:
On 11/29/2016 04:57 PM, Ben Mezger wrote:
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Does this do anything against non-Windows systems?
-- Kind regards, Ben Mezger
On Tue, Nov 29, 2016 at 06:16:44PM -0600, Shawn K. Quinn wrote:
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Does this do anything against non-Windows systems?
The exploit appears windoze only, but likely the bug is alive on other OSes, so the sploit can be ported. It appears "use after free": http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_da...
On 11/30/2016 08:20 AM, Georgi Guninski wrote:
On Tue, Nov 29, 2016 at 06:16:44PM -0600, Shawn K. Quinn wrote:
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Does this do anything against non-Windows systems?
The exploit appears windoze only, but likely the bug is alive on other OSes, so the sploit can be ported. It appears "use after free":
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_da...
In <https://news.ycombinator.com/item?id=13066825>, schoen noted: | The underlying vulnerability has to do with a memory corruption | of some sort in Firefox's SVG rendering, which is a code base | that is shared across platforms. So probably an analogous memory | corruption exists on other platforms, because it's compiled from | the same C++. While it's possible that it's not exploitable | outside of Windows, there is no specific reason to assume it | won't be. | | But the exploit here with the ROP chain, calling Windows APIs, | etc., is apparently Win32-specific and doesn't have binary code | that could run successfully on other platforms. | | The setup for the exploit is apparently primarily in the | Javascript function craftDOM() which makes some SVG objects and | modifies some of their properties, presumably in a way that | triggers an underlying bug in Firefox's SVG support. There is | also a Win32 object code payload in the string object thecode, | which would not be able to run unmodified on another platform. | Also, the ROP chain code is likely to be Windows-specific in | several respects. Indeed, the statement | | throw"Bad NT Signature"; | | seems to be actively giving up the attack if it detects a | non-Win32 environment.
participants (5)
-
Ben Mezger
-
Georgi Guninski
-
Mirimir
-
rooty
-
Shawn K. Quinn