Firefox 0-Day targeting Tor-Users

11/30/2016

G DATA Blog

Yesterday a Firefox 0-Day was made publicly available. We have analyzed the exploit from begin to end and talk about the different stages, including: the exploit techniques that aim to defeat general protection mechanisms like ASLR and DEP, as well as more advanced protection mechanisms like Export Address Filtering from EMET, the shellcode and its similarity to the FBI-Exploit from 3 years ago.

Yesterday night a 0-Day Exploit for Tor-Browser was posted on the torproject.org mailing list. Tor-Browser is used to anonymously surf the internet or the darknet.

The Bug

We have analyzed the exploit in our SecurityLabs and found that the security issue is a use-after-free vulnerability in the SVG-Animation module and is also present in the latest Firefox release. The existing exploit code can easily be ported to standard Firefox. Therefore Firefox users should be extremely careful until a patch is available.

Crash occurring in the Firefox nightly build compiled with address sanitizer showing the stack trace of an assertion failure which is caused by the exploit. (Mozilla Firefox 53.0a1 https://index.taskcluster.net/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-asan-opt/artifacts/public/build/target.tar.bz2 - 192MB)

The Exploit

The exploit has an all around professional touch and uses state of the art exploitation techniques. Looking at it on a high level it contains all the standard elements: a heap-spray is used to defy ASLR followed by a ROP-Chain to defeat DEP.

The use-after-free in combination with the heap-spray is used to create a Read-Write primitive. This is then used to find the module base address of XUL.dll. Using this primitive, further addresses and functions needed for the ROP-Chain can be searched conveniently using JavaScript. The important functions for this exploit are kernel32.dll!VirtualAlloc and kernel32.dll!CreateThread. VirtualAlloc is used to allocate executable memory for the shellcode and CreateThread is used to create a new thread to execute said shellcode.

ROP-Chain is built on the fly using JavaScript and the information gained from the Read-Write primitive.

Using the import table of XUL.dll instead of the export table of kernel32.dll itself also deserves a mention. Some Exploit-Protection mechanisms like Microsoft’s EMET are soft to exploits using the import-table of unprotected libraries to retrieve the addresses of otherwise protected exports.

Generic PE-Parsing code in JavaScript to get the addresses of imported functions.

The Shellcode

The shellcode looks extremely familiar. It is basically a slightly updated version of the “FBI-Exploit” from 3 years ago . Besides being fully interchangeable with any shellcode, it may be interesting to look at the shellcode that is available to us in the exploit in its posted form. The purpose is to retrieve the network interfaces’ mac address and report it to a server. This is most likely used to deanonymize certain Tor-Users. There is no functionality to retrieve further commands or execute anything else besides its original functionality. This is a big difference to traditional exploit kits or other targeted attacks.

The target IP address (5.39.27.226) for this information is located in Europe (France) which may or may not be interesting for attribution.

Whois lookup of the IP hardcoded into the shellcode.

The shellcode looks clean and organized. It contains error checking and cleans up after it has fulfilled its purpose. The needed API’s are resolved by the shellcode using the export table of the containing libraries this time.

Excerpt from the shellcode. One can see that all API-Calls are done using an export parsing function [call ebp] and hashes that are used to identify the API’s.

Conclusion [UPDATED]

The Bug is new but the purpose seems to be the same. Based on the shellcode, the exploit looks like a new attempt to deanonymize targeted Tor Users. There is no persistent threat, everything is done in memory, therefore even the newly introduced Sandbox in Firefox is nothing that can stop this particular attack. OLD:Firefox users should use another browser until the vulnerability is fixed. NEW:According to Mozilla's blog, they have released an update for it's Firefox browser which users should install immediately. OLD:Users of TorBrowser should consider that their anonymity is currently not given. NEW:Fortunately, the Tor Project Developers also released an update, as stated on their website. Users are advised to update and restart afterwards.
Other exploit mitigation techniques integrated into other modern browsers like: Control-Flow-Guard, Separate Heap or Delayed Free may have been enough to prevent the exploitation of the bug, but of course there is no guarantee. G Data customers are protected using a variety of technologies including of course the G Data ExploitProtection.