Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb

I am positive that this exploit is a small part of an overarching federal project. The NSA are doing the fishing in order to be able to connect the dots at a later date. It is unlikely that raids will result from this particular attack, as this exploit involves thousands of fished IP's. They are looking for a couple hundreds of big fish, not thousands of small fish.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

With respect to this PARTICULAR attack, is there any reason to think that it did not affect Windows computers running Firefox versions BELOW 17 ?

Thank you.

All versions under 17 were in fact subjected to another piece of malicious code contained in a page called content_1.html. Apparently nobody knows what was in it, because it was never obtained. Because the code did not exit but loaded this page, one has to assume another version of this, or another exploit was indeed executed on Firefox versions below 17. Therefore all the news and security reports that specifically claim this attack targeted version 17 only, are wrong.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

I use Request Policy with TBB, while NoScript is run in default Global JS On mode. Would Request Policy block this attack?

Thanks

Good question, but I think maybe no, since it's being served from the domain you're visiting? Or maybe Request Policy handled iframes differently than the main page? Somebody would need to investigate.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

For those of us just hearing about Tor for the first time, help me understand this in non computer tech terms.....what span of time did this attack occur? And if someone used Tor Bundle on windows during this time frame but had that little S in the top left corner clicked so a circle with a line was through it, are they still at risk? Or did that turn off their script stuff? Sorry

The presumable owner of Freedom Host was arrested July 29th and the malicious code was first noticed on August 4th. If you have the little "S" with a red slash through it, it is blocking scripts from executing and you are highly unlikely to have been affected.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

When 2.3.25-10 was released, were 2.3.25-9 browser bundles displaying that a update on TOR check within a time period of 1 week after the 10 release? I'm not very clear on this.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

How can you tell if the malicious software has been installed on your computer?

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

I have noticed quite a few write ups in the press that state that Tor's reputation is badly damaged and I regret to say I agree. While the TBB may have made it easier for people to use Tor (a good thing) it has also made Tor into one big honeypot. I don't think that prior to TBB a hack like this would have been worth the FBI's time because there were so many different set-ups that writing the exploit to catch a decent number of IPs would have been a nightmare. By standardizing entry to Tor TBB changed the payout for a hack and thus the risk/reward ratio for the hacker.

Really? I admit I'm still not a huge fan of shipping a browser, but I think the alternative is clearly worse.

The situation before TBB was that Tor users had basically no chance to secure themselves against a wide array of known attacks at the browser level.

At least in this case we learned about the issue, and put out a patch that users could upgrade to, more than a month before it was exploited.

Take a look through
https://www.torproject.org/torbutton/en/design/index.html.en
and
https://www.torproject.org/projects/torbrowser/design/
and ask yourself if more than a very few of our users could have gotten things right on their own?

If we lived in a world where there existed a mainstream browser (Firefox, Chrome, Safari, IE, something) that actually addressed these application-level privacy attacks, I think this would be a worthwhile discussion to have. But see:
https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/curren…
and
https://blog.torproject.org/blog/google-chrome-incognito-mode-tor-and-f…

And currently Firefox and Chrome don't care to accept the patches. That sure would be nice to fix.

https://twitter.com/BrendanEich/status/364265592112414720

In any any event, you and I agree on the fundamentals. It's simply that prior to this hack the downsides of the TBB was mostly theoretical. Now they are real. To pretend that this doesn't impact of the psychology of the average (i.e, non-sophisticated) Tor user is to be in denial of reality.

While I think integrating FF and Tor would be an improvement it doesn't address the underlying problem: to whit, that a TBB enables unsophisticated users to get in over their heads. While one can argue that's their problem when I weigh the alternatives I do not see any of them as "clearly" superior. I see them as all equally bad.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

I'm afraid you are wrong about 17.0.7 being "safe" from the NSA attack. I am, and have been, running it for some time now.

A few days ago I was prompted for both a JAVA and a Flash update ... which I allowed. (Probably Unrelated, Huh).

Coincidentally, I realized later that day, that 94% of all of the Onion Hidden Service Sites had simply disappeared ... Took an entire day but I checked EVERY single one.

Whatever it was has also Killed my Relay setup entirely ... I've had to uninstall IT and even Reinstall my "client-only" 17.0.7 just to get the god-damned thing to stop crashing.

Perhaps worse than that, every time I attempt to access certain of the now defunct .onion addresses, INCLUDING TOR MAIL ...TOR goes semi-transparent, turns white and CRASHES, with a burst of activity on the bandwidth graph and a warning that TOR is not responding and is no longer connected ... WTF ?!?!?! ... So now I suppose I have to wonder if the NSA Vaporware is STILL on my computer ???

NOT TO PUT TOO FINE A POINT ON THE THING .... BUT: Are you folks Idiots or just Morons ?

The GDMF#*&^%$*^$% NSA hasn't just attacked a few perverts, drug and porn sites ... They have launched a totally successful and MASSIVE STRIKE against our entire command, control and communications infrastructure. In case you haven't noticed, That's called WAR.

The Most Serious Disappearance is that of TORMAIL's hidden service at http://jhiwjjlqpyawmpjx.onion/ and it seems that

TOR MAIL IS GONE ... leaving about a squillion people with impending losses of BILLIONS of bucks, NO secure communications And wondering if "just maybe" they're suddenly on the fast track to a Fema Camp ... WHY, in the living hell isn't anyone talking about THAT !!! ??? ... and why in the living hell haven't YOU or someone ELSE put a backup TORMAIL SERVER in place ... and why isn't it UP RIGHT NOW ???

I really need you guys to STFU, quit with the polite "conversation" and DO SOMETHING ABOUT IT.

TemplarKnight@tormail.org ... Oh, that's right ... I don't exist anymore.

A) "94% of all of the Onion Hidden Service Sites had simply disappeared" -- where is your statistic from? I guess you have some list that you think is the entirety of the Tor hidden service list, and not many of those are reachable for you? But at the same time, it sounds like your computer is broken in all sorts of ways? Sounds like you might want a reinstall, and maybe with a safer operating system.

B) "why [...] haven't YOU [...] put a backup TORMAIL SERVER in place" -- I am sorry to inform you that Tormail has nothing to do with Tor. They just took our name to try to trick people into thinking they were legitimate. And then they did a good enough job at never being reachable when we tried to contact them about it. We were exploring the process of asking ICANN to cancel their domain name, but 1) that's not very nice, and 2) it's not clear to me that it would really have done much anyway.

A) Computer is just fine and I did a Reinstall of TOR and HTTPS Everywhere. and the problem went away.

YES, I went through SIX lists and I do realize that they did not encompass the entirety of the Onion HS sites, but I have been doing this for several months on a weekly basis and my estimate is fairly accurate.

B) YES, I know that TOR has nothing to do with TorMail ...However:

The fact of the matter is that TOR Mail did work well enough that it became the accepted standard for secure email communications in the world.

With the known death of Freedom Hosting and the catastrophic (and permanent) demise of Tor Mail, it is incumbent upon some TRUSTWORTHY organization to reincarnate Tor Mail as quickly as possible and there is no reason that TOR couldn't run it's own hidden service in this regard.

That Trustworthy organization ... MUST BE TOR ITSELF.

There is NO OTHER anonymous email service in existence that can take it's place and there is NO service provider OTHER THAN TOR that will be TRUSTED to carry on the name, particularly since, should TORMAIL suddenly reappear on the Onion network, It will be assumed (correctly) to be controlled by the NSA and FBI.

TOR will never be compromised by the Intelligence Mega-plex, simply because they use it themselves ... a fact recently illustrated by the effective destruction of much of the Dot-Onion network NOT associated with TOR itself.

You can accomplish this in less than Two Weeks ... Kindly Consider Doing So.

That is correct. Tor has not and will not be compromised as long as big corporations, businesses and government agencies use it. I feel safe enough using Tor Browser Bundle by itself with scripts disabled.

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

The update warning was the blinking yellow triangle?

I can't check now the version I used because I am in vacance. But I think I didn't have any update warnings (no yellow triangle ) . I think I downloaded tor within the dates in the advisory, but not sure.

Thank you.

The blinking yellow triangle is a new feature, in more recent TBBs.

The main update warning is the homepage of TBB saying in big letters "There is a security update available for the Tor Browser Bundle. Click here to go to the download page"

Anonymous

Anonymous (not verified) said:

August 05, 2013

Permalink

I'm running 17.0.7, and have NoScript set to block all scripts, but did get a crash in Tor when visiting a possibly infected site on August 3rd. Is there any way that the exploit could still have run, as the advisory states that "the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit."

The exploit does attempt to run on 17.0.7 (it checks for any version above 17.0 and less than 18.0). It's effects on 17.0.7 which supposedly fixed the vulnerability it uses are unknown until somebody can step through the source while it's running the exploit and see what it does exactly.

I need to report that five customers and counting have similar issues with tor-browser:
1. They had tor-browser crashes and windows reboots reported in early July. Why assume it is unrelated to the attacks in late July. All of these systems had up-to-date browsers with the most secure setting (script etc.)! at least 17.0.7

2. All show, after the window OS rebooted, MS was eager to send you a possible fix. If you report the error (checked MS’s server) it records your IP address along with a serial number. Is MS involved in this matter? Why not? Remember, the FEDS have full access, and they are the good guys.

3. Some/All show there were automatic SSL certificate updates prior to the browser crash? All via MS.

4. It is a fact that the FEDS have been logging the tor-browser downloads via MS IE. They know who might be using the tor browser, based on the Metadata gathered, and the OS used as well.

5. Some/All of my customers had unexplained AV services stopped errors prior to the event. None of them had this problem prior to using the tor-browser (back one year or more). All used the browser for the first time very recently, because of the Snowden leaks. They didn’t know what TOR was before that.

This might be a pattern.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Dear FBI, I hijacked your exploit and started loading CP sites through Tor, each time I had the exploit code delivered but firewall rules and other mitigation techniques prevented it from phoning home, simultaneously with this I injected your exploit in users traffic through their clearnet exit nodes, framing them for viewing the CP. I did this a great many times, always taking care to clear cookies and use a new circuit to your compromised hidden services. I started doing this almost as soon as I recognized what was going on, and has added what I imagine must be significant noise to your database of suspected pedophiles.

Sneaky. If you didn't want to beat the "but exit relays can be bad" horse, you could instead (in this hypothetical world we're talking about) have bought some google adwords that included an image link to the .onion address -- non-Tor users would fail to load it (and not notice), whereas Tor users would autoload it (and also not notice).

sure and the manipulative mind games continue, it is typical behavior for suspects to try and say they were trying to catch a predator, a very common ploy to try to push the blame from their selves because the individual built his own little world inside his head, and therefore blatantly disregards the actual reality of his or her own actions in an attempt to cover his or her own actions.

Fact, many FBI or alike agents that work with cp all day end up with problems, and many of them end up getting caught with possession of cp!

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I would just like to clarify that I run multiple exit nodes, they are not part of a family and I will not name them. My exit nodes carry traffic for a great many Tor users every day, and I have randomly exposed them to your exploit during the duration of your operation. I am not going to reveal the exact way in which I did this, but suffice to say I have seriously contaminated your database of harvested IP addresses. That said I would also like to warn all users of Tor that you are very possibly in the database of the FBI even if you never loaded a child porn hidden service. I did this in order to confound their operation and provide plausible deniability to all targeted Tor users. I apologize in advance if the FBI kicks your doors down, but perhaps after they realize a great many of their targets are in fact not involved with CP, they will realize that their operation was a failure.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

If someone was always using the then most current version of TBB, would they have been at risk on any day?

Not from this exploit as we understand it to have been deployed.

But it's unclear who learned about this exploit first -- certainly back in June when Mozilla were looking at how to fix it, the vulnerability existed. (Mozilla's bug report is sekrit so we don't know the history of the report and fix.)

So, "no but yes".

my understanding of the exploit is that the TBB would crash after the exploit code ran. If a user was attempting to connect to an exploited site, the browser would crash, preventing them from 'perusing' the site.

Is my understanding correct?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Hi.

I used the latest (ie "fixed") Tor bundle. JS was disabled in the FF options.

But I once got this notification in the bottom bar from HtppsEverywhere :

In order to implement a crucial fix, this update resets your HTTPS Everywhere

Is this related to the attack ? Was my IP compromised ?

Thanks for your help.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

As a user of Tormail, is there any way to find out if my real IP information has leaked out? Freedom of information request to the FBI? The real problem with this is that if your IP/machine name has been captured the FBI can know with, a simple req to the ISP , who we are. Name address, bank account and any other info that they have.
We have been royaly shafted.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I've installed package 'tor-0.2.3.25-1702.fc17' under Fedora 17...

It's not mentioned in the above list, but 1702 seems higher than 10, right?

I'd check with your distribution (that's no rpm we've ever made).

And while 1702 does sound higher than 10, it also sounds lower than 1707. I'd be worried.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

A few questions for arma, if they'd be so kind as to answer
- I think I downloaded my TOR mid-late June/Early July, am I vulnerable?
-I only ever went to websites and clicked on pictures, can I still have had my IP traced?

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Unfortunately I have missed the update and used 17.0.6. But I have the script blocker activated an usually no script is carried out. Is there a risk that this attack can overcome this mechanism ? I remember (maybe I'm wrong) that at some point I saw the n_serv cookie in the cookie menu in the Tor browser. But I think cookies can be received without having script enabled.

If you really saw n_serv cookie, that's it Game over.
Because
v17.0.6->JS enabled->store n_serv cookie->shellcode execution->Your hostname/IP/MAC data goes to LEA
v17.0.6->JS disabled->NO n_serv cookie->NO shellcode execution->NO data travels to LEA

wouldnt the cookie expire after 30 mins like the code suggests? so even if you didnt see it, you could have had it at some point right? reloading pages would refresh it in theory, but it could still be overlooked