Cyber Crime

Firefox Zero-day exploited against Tor anonymity

Security researchers found a malicious script that takes advantage of a Firefox Zero-day to identify some users of the Tor anonymity network.

My readers know very well Tor network and the capability of the system to remain anonymous under specific conditions. We have used terms such as Deep Web, Dark web and hidden web to remark the impossibility to track users in this obscure part of the Internet, but there are some exceptions.

Tor network is a precious resource for freedom of expression, thanks to its system hacktivists, dissidents and whistleblowers could spread their voice to the international community, but it is also true that this network are abused by cyber criminals and intelligence agencies.

As I presented in one of my research the contents on drugs, child pornography and on many other illegal activities are the principal resources available in the Tor network, we are facing with a market characterized by impressive figures, and websites such as SilkRoad are just the tip of the iceberg.

FBI is exploiting a Firefox Zero-day for Firefox 17 version to track Tor users, be aware the Bureau didn’t compromise the Tor system but it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted users through a specific external server.

Mozilla declared that it has been announced the presence of a potential security vulnerability in Firefox 17 (MFSA 2013-53) , which is currently the extended support release (ESR) version of Firefox.

“Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.”

The Exploit code posted by Mozilla and Deobfuscated JS used by the Tor Browser exploit posted on Google Code.

The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

The security expert and exploit developer Vlad Tsyrklevich analyzed the JavaScript code’s payload noting that it connects to a server to send back the user’s data.

Briefly, this payload connects to and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

If Tsrklevich is right, the code could be considered as the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.

“Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.” reported Wired post.

Recently in Ireland it has been arrested Eric Eoin Marques, the young man believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network  and he is accused of favoring the dissemination activities of child pornography.

Marques was being arrested on a Maryland warrant after around a year of intense investigation, he faced four charges relating to alleged child pornography offenses with a total of 30 years jail. The accusers are severe, the FBI considers the man as “the largest facilitator of child porn on the planet.”

In 2011, the collective Anonymous attacked Freedom Hosting with a denial-of-service after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.

With Marques arrest many popular websites on the DeepWeb went down including services like Tor Mail, HackBB and the Hidden Wiki that are all hosted on Freedom Hosting. The concerning news is that in reality many other Tor hidden services may be compromised using a browser exploit.

The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect users’ computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.” revealed Andrew Lewman, Tor Project’s Executive Director said in a blog post.

For massive distribution of the malicious script FBI has used Freedom Hosting platform injecting its HTML code within page visited by victims. The script first checks the version of the user’s browser and if it recognizes that he is using Firefox 17 then it collects the above information.

Shortly after Marques’ arrest all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. Some users noted the presence of a malicious script in the source code of the maintenance page, it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.


Despite initially the researchers accused FBI for the design of the malicious script, it appears that the IP address found in the script belongs to the National Security Agency (NSA). This revelation has been done by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud.

“Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia. Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers. “One researcher contacted us and said, ‘Here’s the Robotex info. Forget that you heard it from me,'” a member of Baneki who requested he not be identified told Ars.” revealed a post published on ArsTechnica

Does Mozilla work for US government?

Another strange circumstance is that in the past the browser disabled JavaScript execution by default for security purposes, but the setting was reverted by default to make more usable, and more vulnerable, the browser.

The consequence could be dramatic for a huge quantity of hacktivist and dissidents, the exploits of Firefox Zero-day may have favored regime and the tracking of innocent user opposed to Governments censorship.

Meantime … if you are a Windows user Update your Tor Browser Bundle to new version 3.0 alpha2 released today.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Firefox Zero-day, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Vyacheslav Igorevich Penchukov was sentenced to prison for his role in Zeus and IcedID operations

Ukrainian national Vyacheslav Igorevich Penchukov was sentenced to prison for his role in Zeus and…

3 hours ago

Rite Aid disclosed data breach following RansomHub ransomware attack

The American drugstore chain Rite Aid Corporation disclosed a data breach following the cyber attack…

5 hours ago

New AT&T data breach exposed call logs of almost all customers

AT&T disclosed a new data breach that exposed phone call and text message records for…

1 day ago

Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to…

1 day ago

Palo Alto Networks fixed a critical bug in the Expedition tool

Palo Alto Networks addressed five vulnerabilities impacting its products, including a critical authentication bypass issue. Palo…

1 day ago

Smishing Triad Is Targeting India To Steal Personal and Payment Data at Scale

Resecurity has identified a new campaign by the Smishing Triad that is targeting India to…

2 days ago

This website uses cookies.