Pierluigi Paganini November 30, 2016

A zero-day exploit in the wild has been used by threat actors to de-anonymize Tor users by executing malicious code on Windows machines.

The news is disconcerting and confirms the existence of a zero-day exploit in the wild that’s being used by threat actors to de-anonymize Tor users by executing malicious code on their machine. The zero-day exploit targets Tor users and also other netizens using the Firefox browser.

The zero-day vulnerability was first mentioned on the official Tor website, a blog post quoted a Javascript exploit that is actively exploited in the wild to unmask Tor Browser users.

“This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to “VirtualAlloc” in “kernel32.dll” and goes from there. Please fix ASAP. I had to break the “thecode” line in two in order to post, remove ‘ + ‘ in the middle to restore it.” reads the post.

Roger Dingledine, the notorious Tor co-founder, confirmed the zero-day and announced that the Mozilla security team is already working to fix it.

The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.

The security researcher Raylee (@TheWack0lian) explained that the payload used in the recent wave of attacks is quite similar to the one used by law enforcement in 2013 to de-anonymize the users of a child pornography site hosted on Freedom Hosting.

“It’s basically almost EXACTLY the same as the payload used in 2013,” TheWack0lian told Ars. “It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”

According to the security researcher Joshua Yabut the zero-day exploit triggers a heap overflow vulnerability that requires JavaScript to be enabled on the target machine.

The zero-day exploit code works on various versions of the Firefox browser, from 41 to 50, the code is able to target all these versions a circumstance that suggests that its authors have improved the malicious code across the time.

As usual, the public disclosure of the Javascript code could allow threat actors in the wild to use it to track Tor users.

Waiting for a patch from Mozilla, users avoid relying on Tor to protect their anonymity.

As usual, it is strongly suggested to disable JavaScript.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mozilla Firefox Zero-day, hacking)