Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 05, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Tags
security
tor browser
tbb
Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Out of curiosity, are there plans for a completely sandboxed bundle using an encrypted virtual machine without direct network access? Basically, only TOR itself runs on the host, and everything in the VM is firewalled (by the host) to only be able to communicate with TOR. There are a number of open-source VMs, and you could run a very minimalist distribution of linux inside the VM to cut down on image size.

The only multi-platform code to maintain would be the TOR binary (already ported), the VM, and whatever network rules are used to refuse the VM external access.

The path to exploit that would be:

  • Browser exploit granting unpermissioned user access
  • Permission escalation allowing for root access
  • OS exploit granting the ability to run arbitrary ring-0 code
  • a VM exploit granting you unpermissioned access to the host OS
  • another permission escalation on the host OS to remove the firewall rules.

Given that the vast majority use windows, and the guest OS would probably be linux, you'd need a perfect storm of vulnarabilities in two operating systems, a browser and a virtual machine, all unpatched.

Being a single browser hole away from complete de-anonymization is a completely untenable situation.

Yes.

If you want to get the extra credit, you could run two VMs, and put the Tor client plus some good iptables rules in the second one.

See the references to Whonix and WiNoN at the end of the advisory.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

I'm actually kinda pissed that taking down **ONE** single hosting company could inflict this much damage on the .onion sites.

Why don't we all just host on unpatched windoze servers while we're at it?

Don't worry, people will adapt and something even more secure will surface. As long as the demand is there people will come up with something.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Arma, whoever you are, thanks for being there and for bringing a little sanity to this issue. Your efforts are appreciated.

Anonymous

Anonymous (not verified) said:

August 06, 2013

Permalink

Hi Arma,
Thanks for your replies.
So in confirming from the advisory, users on OSX or Linux running the latest version of TBB but had JS on were not affected?
I assume that regardless of the exploit working or not, a person would still see the 'Outage' message on the page?

Also, if an OSX or Linux user was running an older version of TBB, but had JS turned on they would still not be affected due to this being Windows based?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Did investigate in cookie mechanisms because I remember to saw a cookie N-serv once without having any JS functionality enabled. This is possible as cookies can be generated via HTTP alone. (I remember some long time ago TOR BB did not allow any cookies and when I accessed google I had to fill out a captcha).

I can imagine that this cookie even with that name was generated maybe to track my browser history. But without JS enabled there is no known mechanism (yet) that the real IP can be sent out. So I'm safe for now.

What would make it less vulnerable (I think) if Tor - Firefox can be patched to only be able to send out requests through TOR. If I understand it correctly in this case the exploit did sent out info through clearnet.

I agree with others that your IP in a FBI database is not enough to justify a raid, so the question is: Can the ISP monitor the traffic between TOR and 1st node or is it encrypted to block further data analysis.

Definitely a wake up call to more think about where we browse and if it's worth the risk. But I think TOR is doing a good job and I want to thank all who are involved in this project!

Strange to hear that in GB the police can force you to reveal the PW of a container. How do they detect that a certain file is a container (I use TC) ? If yes, are there tools to further 'process' a container file to not get recognized (TC->PSR, PSR->TC) ?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Hi Brand new question here.

If I had a Paid VPN running, and then ran TBB on top of that (Latest patched version with 17.0.7) BUT NO SCRIPT SET TO "ALLOW ALL GLOBALLY" have I been compromised??
Will the exploit by pass my VPN in addition to TBB???

Also is TOR safe from IGMP and ICMP exploits?
No one has a answer for that.
Does that mean TOR is vulnerable to ICMP and IGMP attacks?

Re the VPN, the connection made by the exploit would likely go over the VPN. So you would be sending your hostname and MAC address via the VPN. Whether that counts as "safer" depends on your VPN provider, but it's probably an improvement. See above comments about VPNs too.

Re the IGMP and ICMP attacks, can you provide details? I'm guessing the answer is either "what the heck, those aren't attacks" or "why did you think Tor defends against an attack on that level?"

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

OH SHIT!
I do have the latest version of TOR and Firefox, but had No Script set to Allow ALL globally.

But I still remember my RAM peaking to its FULL capacity and browser wanting to shut down some days back!!!

Since this exploit works by overflowing browser's RAM, does that mean I'm fucked even if I had the latest version of TOR and FF????

The latest version of TOR and Firefox is unaffected by this specific Javascript
The Javascript does not fill all the RAM, it just go over an array (limited RAM size) bound.
The Javascript also make the browser crash and exit, after executing the payload.

I wouldn't have thought so. In the advisory:-

"This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)"

If you have Firefox 17.0.7 ESR then the exploit won't have worked. Period.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Sooo, how can we tell which dark sites are hosted with Freedom Hosting before we click on them?
Say if they come back online under the FBi control and who knows what sort of codes injected into them for track and trace.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

A question please. I downloaded TBB version 2.3.25-10 some time in mid July, but I just checked and it apparently shipped with 17.0.6 ESR, not 17.0.7... yet this article seems to suggest all 2.3.25-10 versions included the 17.0.7 ESR fix, which in my case obviously isn't true. Please correct me if I missed something.

And is the 17.0.6 ESR vulnerable to this exploit? Clarification would be appreciated.

Thanks for the reply Arma. To clarify, the TBB 7zip file name I downloaded (mid July) was 2.3.25-10_en-US. When I ran that browser, and clicked Help>About TorBrowser, it said Firefox ESR 17.0.06. I'm quite certain of that. So my conclusion is that not all TBB 2.3.25-10 versions included 17.0.07 ESR, as this article seems to suggest.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

so, Devs.... still think making users turn off JS every time a good idea???

We've all been yelling why JS was enabled by default and I've never seen a 1/2 way decent answer from you guys on that one. I make it through 98% of my computing w/JS off, why is it worth it to have it left on by default?
Honestly, I'm asking for real now that we've seen a successful JS based attack on TOR?

The real answer needs to be getting people off the "run an application in Windows and think it can possibly be secure" model.

Whether that's Tails in a VM, or getting them to boot Tails directly, or some other VM-based approach like WiNoN or Whonix... we need more help from the whole community here to get these things both usable and well-analyzed. Don't just sit back and wait for us to do it.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

For a bunch of people who surf onion sites, there seem to be an awful lot of paranoid people here. Me thinks perhaps your Tormail and surfing activities might be a little questionable huh? Particulartly if you used Freedom Hosting which was basically a disguise for CP.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Hello everybody!

Well, there is a lot of fear flowing through every single post around this issue since it came out to light. This is causing doubleposting asking the same questions again and again ... and overall self answers in some cases trying to calm oneselves and others feeling dispair.

First, lets calm our minds ... if we do not we are losing it and the more fear the more mistakes we will commit and the less time to do whatever we can do to get back on our feet.

Second, lets stick to the source ... a LOT of speculations from being a hackattack to being a worldwide raid to stop Tor, that if the exploit installed a cookie, or that is a crash is an unmistakable proof one was compromised ... PLEASE ... Tor developers are our best source of information ... so I propose to stick to the info they are leaking ...

If it is said that using the latest bundle keeps us safe regardless of the javascript configuration on FireFox nor in the NoScript ... LETS STICK TO THAT! ... unless we have proof otherwise ... We need to avoid the path to the paranoia and in the way getting others paranoid ... we have to think with a COLD heart and even a COLDER mind ...

Third, people here are very worried since some of them were sneaking in illegal sites that they are unmistakably going to jail because of that ... WELL ... always reember the SURPRISE FACTOR is key to a successful legal raid ... here .. they dont have it anymore ... deducing and maybe i am not good at it but i will give it a shot , this exploit was inteded only to shut down TOR ... why ... well ...

Fourth, I CANNOT BUT FIND A PATTERN OF THE U.S. EVAQUATION OF EMBASSIES IN THE MIDDLE EAST BECAUSE THEY FOUND INFORMATION OF AN IMMINENT ATTACK ... that ... was days after FH was shutted down ... lemme speculate ... they found that information flowing somewhere in the FH sites, etc ... I cannot but see a pattern there ...

Fifth, yes ... if users are using TOR to cover illegal activites, satisfying illegal appetites ... yeah ... a goverment would be interested in detaiining some of you ... but ... i think all this was a terrorist counter intelligence of the NSA to stop some terrorist organizations that communicate through Tor ... they are hell more interested in THEM ... than in you ... unless you are dealing with tons of illegal substances and illegal material ... and i mean .. otherwise I dont think this will go further unless some of you are a big fish in the same scale of a terrorist organization... or even a terrorist.

Sixth, ... Tor has absorbed the hugest hit in its history ... but after Snowden revelations people has realized the need of doing whatever it takes to fight for our right to privacy ... I have less than a month using Tor and what brought me here is that i felt sick of the Snowden revelations about how the espionage has no limits ... when for somebody EVERYBODY else is a potential threat ... there is where the decomposition starts ... where the Republics become Empires ... and where the resistance starts... lets not forget that ... so ... i urge people that more now than never tor requires that we run RELAYS and not only clients ... Tor is under attack and depends on us this project suvivies ... if the fear startegy works and nobody keeps supporting running relays, ... they will succeed in geting rid of one of the latest places one can truely be private ... and they would have won ... lets keep runnng the relays and for the ones that are not running them is a good moment to start.

Hope nobody got upset with this post ... just trying to bring my 2 cents here.

Take care.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Clarification required please - It says on this site that TBB 2.3.25-10 (released June 26 2013) uses FF 17.0.7 ESR. I downloaded 2.3-25-8 on 23 June, but when I check it uses FF ESR 17.0.7.
Is my TBB vulnerable?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

The advisory recommends ("you might like") the Request Policy add-in to improve security. The advice that appears on the download page, however, discourages us from installing add-ins to the Tor browser. These recommendations conflict; what's the resolution?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

I am running Firefox ESR 10.0.9. When I go to Help | About | and press the "Update" button, the message that returns says that I have the current version. Yet this advisory refers to a later version of the browser as the current one. What am I missing?

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Would enabling the NX bit for ALL the softwares in Windows have prevented this exploit from running?

If so, wouldn't be a good idea to warn the user about it when starting Tor and the Tor Browser? A message like "Your system seems to support the NX bit but it is currently enabled only for Windows Services, you should enable it for all the programs in order to avoid running exploits which could deanonymize you".

I remind everyone that to enable the NX bit on their Windows machines they can follow this tutorial: http://www.itechtalk.com/thread3591.html (usually you don't need to add anything to the exclusion list).

Renton Thurston

P.S.: Changing this setting requires you to reboot.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

At what date was the malicious code placed onto the Freedom Hosting sites? How long had it been there before it was detected?

As far as I know from what I have been reading is that it could be no less than 1 week but likely closer to 2 weeks before Aug 4th.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Quick question - isn't leaving Firefox behind and adopting Iceweasel like TAILS a better idea for TBB?

"Iceweasel is Firefox with a different logo and name. "

That's what I (and I would daresay /most/ people) always thought.

But then, some time back, one of the Tails devs made a post in the (no longer active) Tails forum stating that there were at least /some/ actual substantive differences between Iceweasel and Firefox. (Namely, certain "patches" in Iceweasel, IIRC)

As for the difference, if any, between Iceweasel and Gnu IceCat, I'm still at a complete loss.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Could someone explain exactly what the exploit did? Did it just take over the browser, and deidentify the user, or did it compromise the machine completely? Also, I'm assuming that standard non .onion sites were not used as an attack vector (or am I wrong?).

The attack exploited a bug in Firefox's onstagechange handler, which allowed arbitrary code execution. In principle, if you were running Firefox older than 17.0.7 ESR, anyone could use this exploit to do anything they like as the user your browser was running under, regardless of what OS you use. In practice, in this specific case it seems that only Windows users were affected. The code that they chose to run was a program which grabbed the name of your computer and the MAC address of its network adapter, and sent these over a non-Tor connection to an as yet unknown server somewhere in the USA. It doesn't look like it did anything more than this.

Since at the same time the exploit installed a tracking cookie, anyone who was vulnerable to the exploit and who browsed Freedom Hosting sites while they were up should assume that whoever the attacker is has your IP address, the hostname of your computer, its MAC address, and a list of the pages you visited, and when.

It's unlikely that non-onion sites were targeted with this specific attack payload. However, you should be aware that the exploit code is now public, and in principle anyone could install it on their website and try to use it to unmask Tor users. Also, it's possible for malicious exit nodes to inject the exploit, including the malicious payload, into reponses from non-encrypted HTTP connections, thus exposing you to the attack without you knowing.

Advice: upgrade your browser, don't use Windows, and realize that this isn't the first or the last time that Firefox will fall victim to a security vulnerability.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

Oh dear, PLEASE help.

If someone had not updated TOR since May and erm java was enabled.
They also had some incriminating evidence on tormail.

Would advise them to get out of country if there country had not so friendly governments?

Again, please help.

I would tell that person not to worry at this point, because the exploit only tells the U.S. feds that person visited Tormail during the time the exploit was running (probably only the last week) and may correlate the time they visited with activity in Tormail server logs. However U.S. law enforcement is not allowed to examine the contents of the Tormail server without a proper warrant, and nothing has been shown so far that Tormail was a law enforcement target.

Anonymous

Anonymous (not verified) said:

August 07, 2013

Permalink

I always use TBB latest version with JS off, so I don't worry about the recent upsets for me.

My concern is, however, whether my machine's obfsproxy bridge setting through the other port and the other Tor and privoxy's (polipo cannot handle obfsproxy smoothly-) job process that I aimed to assist dissidents' access from restricted countries to their necessities is safe or not.

If obfsproxy clients with TBB had been affected the exploit, did their requests to my machine bridging to Tor network expose my ip and MAC address?