FoxAcid powning TOR

For all of those who do not know a new presentation was leaked through The Guardian. Its title is "tor stinks NSA presentation" This is interesting because FBI has said that they were behind the TOR JavaScript vulnerability. This Attack is used specifically for the tor browser which runs a earlier version of Firefox (ie. 16) which has some vulnerabilities. Just a hint for those who want to use TOR use the most up to date version and don't use in as a browser add-on. Now there is more information from leaked documents from The Guardian and Snowden

The Quantum system

What the NSA did is they preformed a man in the middle attack on a global scale. They got the information that a user is trying to access a certain website and instead of going to that website the NSA responds first sending faked data back to the client with the virus in the html code. You may think this is familiar from other headlines with the NSA. Yes you are correct the NSA did this same thing with Google talking to Brazil’s state-run oil firm Petrobras. This is the server that was used to preform a man in the middle attack.

Technical Details of the Attack

Here is the JavaScript code unobfuscated. For those who are not fluent in JavaScript it checks to see if the browser is Firefox and a specific version (the one that is used for the TOR browser) and then makes an invisible iframe that connects to a server. An iframe is a old command in html which was used to show mutable pages on one site. This was used mostly for having one page as a menu that you could use with out repeating to code in all of the other webpages. Since the 1990's this technique has been replaced with safer options, but is still used in most browsers for backwards compatibility.(Chrome dosent support it anymore) What makes this a security flaw is that you can make it invisible (only shown in the source code and not visible on the screen) and you can load from other servers. The first part of this vulnerability makes it so you can load a page from cnn.com from fox.com.

The second part of the attack is the important part. Depending on the information that is sent in the request to the server the server uses its database of attacks to make a attack that will work on the system depending on the OS, OS version, installed programs, and more. Then they can load a page that they create themselves which had code that would send information about the system directly to the server.(Here is the shellcode if you want to have a look at it)

TOR Nodes

A while a go there was a big scare with the huge increase in Tor Nodes which a lot of people thought to be the NSA (still could be) but people have settled that it was a person who controlled a bonnet and installed tor on all of the machines that he/she controls.