New Firefox/TorBrowser 0day in the wild
Mirimir
mirimir at riseup.net
Wed Nov 30 11:02:24 PST 2016
On 11/30/2016 08:20 AM, Georgi Guninski wrote:
> On Tue, Nov 29, 2016 at 06:16:44PM -0600, Shawn K. Quinn wrote:
>>> https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
>>
>> Does this do anything against non-Windows systems?
>>
> The exploit appears windoze only, but likely the bug is alive on other
> OSes, so the sploit can be ported. It appears "use after free":
>
> http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
In <https://news.ycombinator.com/item?id=13066825>, schoen noted:
| The underlying vulnerability has to do with a memory corruption
| of some sort in Firefox's SVG rendering, which is a code base
| that is shared across platforms. So probably an analogous memory
| corruption exists on other platforms, because it's compiled from
| the same C++. While it's possible that it's not exploitable
| outside of Windows, there is no specific reason to assume it
| won't be.
|
| But the exploit here with the ROP chain, calling Windows APIs,
| etc., is apparently Win32-specific and doesn't have binary code
| that could run successfully on other platforms.
|
| The setup for the exploit is apparently primarily in the
| Javascript function craftDOM() which makes some SVG objects and
| modifies some of their properties, presumably in a way that
| triggers an underlying bug in Firefox's SVG support. There is
| also a Win32 object code payload in the string object thecode,
| which would not be able to run unmodified on another platform.
| Also, the ROP chain code is likely to be Windows-specific in
| several respects. Indeed, the statement
|
| throw"Bad NT Signature";
|
| seems to be actively giving up the attack if it detects a
| non-Win32 environment.
More information about the cypherpunks
mailing list