Firefox 0-day found on Tor .onion service (reported on Reddit)

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: dveditz, Unassigned)

Tracking

({sec-critical})

Trunk
x86_64
Windows 7
sec-critical
Points:
---

Firefox Tracking Flags

(firefox-esr1722+ fixed, firefox-esr24 fixed, b2g1822+ fixed, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed, b2g-v1.2 fixed)

Details

(Whiteboard: fixed by June 25, 2013 releases in bug 857883, crash signature, URL)

Attachments

(5 attachments)

(Reporter)

Description

4 years ago
Reddit is reporting a Firefox 0-day that has been injected on some .onion sites (Tor hidden services).

http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/

The most complete link I've seen appears to be
http://pastebin.mozilla.org/2777139 (and copied to
http://pastebin.mozilla.org/2781408 in case the first link is ephemeral)

I've also seen
http://pastebin.com/pmGEj9bV
http://pastebin.com/K61QZpzb
http://pastebin.mozilla.org/2776374

and I'm not sure where they're all from or how they're related (look duplicative).

No point in hiding the bug at this point, this is all over the twitters and will just collect dupes.
This appears to be the exploit, linked by reddit:

http://pastebin.mozilla.org/2776374
(In reply to Bobby Holley (:bholley) from comment #1)
> This appears to be the exploit, linked by reddit:
> 
> http://pastebin.mozilla.org/2776374

oh, ignore me. dveditz already linked to it in comment 0.
Can someone with a windows build run this thing in an ASAN debug build and see where we first fall over?

Comment 4

4 years ago
Can you make this crash on non-windows?

Comment 5

4 years ago
Created attachment 785529 [details]
pastebin-pmGEj9bV.txt

Comment 6

4 years ago
Created attachment 785530 [details]
mozillapastebin-2776374.txt
Created attachment 785531 [details]
pastebin-K61QZpzb.txt
Created attachment 785532 [details]
mozillapastebin-2777139.txt

Cleaned up.
(Reporter)

Comment 9

4 years ago
This has now been posted to Hacker News. Here's the URL to help catch dupes
https://news.ycombinator.com/item?id=6154246
(Reporter)

Updated

4 years ago
Summary: Onion service Firefox 0-day (reported on Reddit) → Firefox 0-day found on Tor .onion service (reported on Reddit)
Whiteboard: Possibly ESR-17 only

Comment 10

4 years ago
Until content_2.html is loaded it looks like mere heap ordering. I can't get nightly to crash with it. Will look at content_2.html next.
content_2.html seems to trigger over-recursion on linux.
(In reply to Bobby Holley (:bholley) from comment #11)
> content_2.html seems to trigger over-recursion on linux.

Oh, nevermind. That only happens when you don't load the iframes in the proper hierarchy, because the parent structure isn't what the code expects.
I have to go, but some notes on making the testcase actually do something:

If the version check fails, the main frame is redirected to content_1.html, which appears to be the bailout page. Depending on your platform, it may be necessary to early-return |17| from |function al()| in the main exploit.

The exploit appears to try to wait for onload before executing, but fails, because the event listener at the bottom is |u()| rather than |u|, so it effectively evaluates the whole exploit when it adds the event handler. This means that the iframe needs to have the bizarre pre-positioning it has in the exploit. Don't try to re-order it.
Disassembly of the 'magneto' shell code: http://www.onlinedisassembler.com/odaweb/HeZjTV
Using the testcase in:
https://hg.mozilla.org/users/dbaron_mozilla.com/bug901365-testcase/
I crash in Firefox 17.0, 17.0.4esr, and 17.0.6esr but NOT 17.0.7esr at:
bp-3534f587-63b8-43cf-9891-5dad22130804
bp-f4517677-20f6-4a09-aaed-ab5082130804
bp-82eaa8cd-83e3-49a0-ad8a-e7cd12130804
smaug points out both the crash stack and fix range seem consistent with bug 857883.  (At least for the crash I'm seeing; possible others see something else!)
Depends on: 857883
And to be clear:  I'm testing on Linux.  Somebody should definitely check on Windows.
As a side note, these crashes cause the exploitability analyzer in crash-stats to error out. Filed bug 901372 for that.
(In reply to Daniel Veditz [:dveditz] from comment #0)
> Reddit is reporting a Firefox 0-day that has been injected on some .onion
> sites (Tor hidden services).
> 
> http://www.reddit.com/r/onions/comments/1jmrta/
> founder_of_the_freedom_hosting_arrested_held/
> 
...


(In reply to David Baron [:dbaron] (don't cc:, use needinfo? instead) from comment #15)
> Using the testcase in:
> https://hg.mozilla.org/users/dbaron_mozilla.com/bug901365-testcase/
> I crash in Firefox 17.0, 17.0.4esr, and 17.0.6esr but NOT 17.0.7esr at:
> bp-3534f587-63b8-43cf-9891-5dad22130804
> bp-f4517677-20f6-4a09-aaed-ab5082130804
> bp-82eaa8cd-83e3-49a0-ad8a-e7cd12130804



Is this an issue with Thunderbird 17 esr?
(Reporter)

Comment 20

4 years ago
(from comment #16)
> smaug points out both the crash stack and fix range seem consistent with
> bug 857883.

That would be http://www.mozilla.org/security/announce/2013/mfsa2013-53.html if so.
(Reporter)

Comment 22

4 years ago
Created attachment 785556 [details]
self-contained exploit w/neutered (hopefully) shellcode

Open start.html to begin. Doesn't always crash, sometimes I had to reload or shift-reload it a few times.
(Reporter)

Updated

4 years ago
Crash Signature: [@ nsPresContext::SetImageAnimationModeInternal(unsigned short) ] [@ nsPresContext::SetImageAnimationModeInternal ]
(Reporter)

Comment 23

4 years ago
So far I've reproduced the crash using attachment 785556 [details] in
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/05/2013-05-05-03-45-01-mozilla-esr17/

But not with
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/05/2013-05-17-03-45-04-mozilla-esr17/

I couldn't find any builds in between, I think we only build ESR on demand. The only fixes in that range are three bugs fixed by Olli, bug 857883 (the suspected fix), bug 862309 (related to contenteditable), and bug 866915 (related to XHR)

http://hg.mozilla.org/releases/mozilla-esr17/pushloghtml?startdate=2013-05-05&enddate=2013-05-17
(Reporter)

Comment 24

4 years ago
I've also confirmed that mozilla-central 2013-05-15 nightlies crash and 2013-05-16 nightlies don't. That also aligns with bug 857883
(Reporter)

Comment 25

4 years ago
I've been told comment 23 and 24 can be cryptic for those who aren't up on our archive nomenclature. All of these were "nightly" developer/testing builds. The first build in comment 23 is a more-or-less stock ESR 17.0.6 built May 5, 2013 and the second contained only Olli's patches and was built on May 17, 2013. The "pushloghtml" link shows the ESR code changes in that date range.

In comment 24 I was talking about May nightlies of "mozilla-central", which was Firefox 24 at the time. The patch for bug 857883 was also applied to the Fx23 "Aurora" branch and the Fx22 "Beta" branch.

Firefox 22 and Firefox ESR 17.0.7 were released on June 25, 2013 and contained the patch for bug 857883 and are not affected by the exploit samples that we have received related to this issue.
Should we close this bug?
status-b2g18-v1.0.1: --- → affected
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Whiteboard: Possibly ESR-17 only → fixed by June 25, 2013 releases in bug 857883

Comment 30

4 years ago
Hey, guys, would you please give a detailed description of attachment "self-contained exploit w/neutered (hopefully) shellcode (6.93 KB, application/java-archive)" by "2013-08-04 16:06 PDT, Daniel Veditz [:dveditz]"? I just could not understand much about the process of triggering and exploiting. Please contact 1989600235@qq.com if you are willing to offer a help.Thank you so much!
status-b2g-v1.1hd: --- → affected
status-b2g-v1.2: --- → fixed
(Reporter)

Updated

4 years ago
status-b2g18: --- → fixed
status-b2g18-v1.0.1: affected → wontfix
status-b2g-v1.1hd: affected → fixed
status-firefox-esr17: --- → fixed
status-firefox-esr24: --- → fixed
tracking-b2g18: --- → 22+
tracking-firefox-esr17: --- → 22+
You need to log in before you can comment on or make changes to this bug.