Firefox 17 0day via Freedom Hosting
As noted in the previous post on the arrest of the founder of Freedom Hosting, some .onion websites ( Tor domains ) hosted by Freedom Hosting have been attacked. This is a compromise of software web servers that implement a special IFRAME to web pages. After opening such a page and activating IFRAME, the user is redirected to a set of exploits, where he is delivered a special JavaScript (heap spraying exploit) that exploits an open vulnerability in the Mozilla Firefox version 17 browser (which is relevant for the Tor Browser Bundle). The malicious script is described here .
https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
')
To link the IFRAME with the webpage of the exploit kit, a special UUID is used, which is assigned to the “client” to which the IFRAME was sent.
It should be noted that after the perfect raid on the servers of Freedom Hosting, the FBI left sites with content for pedophiles in working mode in order to identify as many of its users as possible. Despite the fact that such resources use .onion domains (that is, it is very difficult to establish the Tor network domains and their physical location), experts calculated the location of the servers of the hosting company. In js-exploit artifacts were found, confirming the use of the FBI servers in this attack.
http://arstechnica.com/tech-policy/2013/08/alleged-tor-hidden-service-operator-busted-for-child-porn-distribution/
UPD: Mozilla comment.
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/comment-page-1/#comment-111200
https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
')
Freedom Hosting is a no-no matter how much it is affiliated. In the past, there has been a scrambled outbreak of hidden services and on-line address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that the software behind Freedom Hosting. From the javascript it was sent. This is an exploit of computers. If you are on firefox 17 ESR, it is on the Internet. We’re investigating these if you can.
To link the IFRAME with the webpage of the exploit kit, a special UUID is used, which is assigned to the “client” to which the IFRAME was sent.
It should be noted that after the perfect raid on the servers of Freedom Hosting, the FBI left sites with content for pedophiles in working mode in order to identify as many of its users as possible. Despite the fact that such resources use .onion domains (that is, it is very difficult to establish the Tor network domains and their physical location), experts calculated the location of the servers of the hosting company. In js-exploit artifacts were found, confirming the use of the FBI servers in this attack.
http://arstechnica.com/tech-policy/2013/08/alleged-tor-hidden-service-operator-busted-for-child-porn-distribution/
UPD: Mozilla comment.
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/comment-page-1/#comment-111200
Although the vulnerability affects users of Firefox 21 and below it exploits targets only ESR-17 users. Since this isn’t it’s possible, it’s true that it’s the browser’s browser’s Buffer (TBB) ESR-17. Users running the most recent TBB have all the fixes that have been applied to Firefox ESR 17.0.7.
Source: https://habr.com/ru/post/188974/
All Articles