Recently, a Firefox zero-day was being used to target Tor users. Experts say the code is nearly identical to what the Federal Bureau of Investigation used in their hack against Tor users in 2013. However, on the same day, the exploit came out, the Tor Project and Mozilla published browser updates that fixed the issues within the software.
The Tor Project was notified about the zero-day by a user who posted the exploit code to the Tor mailing list from a Sigaint dark net email address.
Shortly after the user posted the exploit code, Roger Dingledine, co-founder of the Tor Project Team, confirmed the fact and said the Firefox team had been notified. He also added that Firefox found the bug and are working on a patch. On November 28, Mozilla had to update its browser for a different critical vulnerability.
Several researchers started analyzing the zero-day exploit. Among the experts was Dan Guido, CEO of TrailofBits who made posted on Twitter that the zero-day exploit is “a garden-variety use-after-free, not a heap overflow” and it’s “not an advanced exploit.” The researcher added that the vulnerability is also present on the Mac OS, “but the exploit does not include support for targeting any operating system but Windows.”
Security researcher Joshua Yabut told the media that the exploit code is “100% effective for remote code execution on Windows systems.”
“The shellcode used is almost exactly the shellcode of the 2013 one,” a security researcher using the pseudo name “TheWack0lian” tweeted. “When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn’t looking at a 3-year-old post.”
The researcher referred to the payload used by the FBI to deanonymize the users of a dark web child porn site. This allowed the Bureau to tag Tor users who visited the illegal website on Freedom Hosting. The exploit code forced the browser to send sensitive data, such as MAC address, hostname, and IP address to a third-party server with a public IP address. The FBI only had to request customer information from the ISPs to acquire the identity of the hacked users.
According to TheWack0lian, the malware was talking to a server assigned to French ISP OVH, however, when checked, the server seemed to be down.
“The Tor malware calling home to a French IP address is puzzling, though. I’d be surprised to see a US federal judge authorize that,” Privacy advocate Christopher Soghoian tweeted after he knew about the French IP.
The same day as the zero-day exploit was discovered, both Tor and Mozilla published a press release that they fixed the issue.
“This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (220.127.116.11).”
“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.”