#torsploit

De acuerdo con una investigación, Matthew Edman, un experto en seguridad cibernética y ex empleado del Proyecto Tor, ayudó al FBI con Cornhusker conocido como Torsploit malware que permitió a los federales hackear y desenmascarar a los usuarios de Tor en varios casos de alto perfil, incluyendo la Operación Torpedo y Ruta de la Seda .

¿Sabia usted que Ex-Desarrollador de tor creó el malware para…

There's a lot of ongoing research into the Tor Browser Bundle (Firefox 17 ESR-based) exploit that was launched from compromised Freedom Hosting servers last week.

For a detailed discussion of the exploit, check out this thread on Cryptocloud → http://www.cryptocloud.org/viewtopic.php?f=14&t=2951&sid=363e1c6afcba19d078f7035d061ef31f

Much of the discussion has been highly technical in nature and may be a bit daunting or confusing to even skilled users, so let's break it all down:

What was exploited?

A security hole existing in the Javascript engine of Firefox versions < 17.0.7 allowed arbitrary code to be executed within the process space of the running browser.

This particular version of Firefox was an ESR or Extended Support Release. Extended Support Releases continue to receive support from Mozilla for the purpose of patching bugs and security vulnerabilities for a longer time period than standard releases.

Who's identity was exposed?

Tor users who were running Firefox versions < 17.0.7 (Tor Browser Bundle < 2.3.25-10) AND were running it on Microsoft Windows AND visited a compromised Freedom Hosting .onion site sometime last week.

Would I have noticed anything if I was exploited?

Yes, your browser would have crashed or suddenly exited. It crashes or exits when hit with the exploit on all platforms (Windows, OS X, and Linux), but only successfully exposes your identity on Windows.

Why does the Tor Browser Bundle use the ESR versions of Firefox?

I'm not a member of the Tor Project and can't speak for their exact reasoning, but...

Put simply, they're more of a known quantity. As any piece of software has more features and functionality added to it, the probability of introducing new bugs and security vulnerabilities is high. ESR releases have been around the block. They have a fixed set of features that existed at that major version number and are only updated to patch bugs and security holes. The longer ESR releases exist in the wild and are patched as needed, generally the lower the odds are that potential vulnerabilities remain.

That nice new browser version might have a smokin' fast new Javascript engine, but there may be many new security implications that were overlooked.

“Better the devil you know than the devil you don't.”

How did this all work to expose users' identities?

What about calls for Tor users to abandon Microsoft Windows?

There are numerous reasons that would lead one to suggest against using Windows when security is at stake, but those reasons are outside the scope of this article. Why would this event specifically lead to such a recommendation?

It shouldn't.

The Firefox exploit has been tested and verified to work on all major platforms. The only thing that prevented Mac and Linux users from being exposed was that the shellcode payload was written only to utilize Windows API functions. These functions were used both to retrieve the MAC address and hostname, and to call back home with the info.

It would be trivial to replace the payload with one that targets another OS.

But there's something still strange here...

The construction of the Javascript bootstrap code leads me to suspect that perhaps the person who packaged the exploit is not the one who wrote it.

Why would a person who was informed enough about their target to attack a specific version window known to be in use in the Tor Browser Bundle do this?

“var i = navigator.userAgent.indexOf("Windows NT");”

What's wrong here? The Tor Browser always identifies with a generic Windows NT user-agent, as to avoid one type of browser finger printing. So asking your target browser if its running on Windows NT when it always responds in the affirmative is perplexing.

It's completely possible that the creator intended to build a separate shellcode payload for each operating system, and then realized that they couldn't get an honest answer as to OS the in use out of Tor Browser.