
Tor Freedom Host compromised, JS injected into multiple sites - coolnow
http://pastebin.com/pmGEj9bV
======
PhasmaFelis
I realize this marks me a failure as a hacker and a human being, but
JavaScript is not my native tongue and Google Translate doesn't seem to have
an option for it. Could someone please post some actual _news_
about...whatever is happening?

~~~
stdgy
Here's my current understanding:

\- Freedom Host's founder arrested in Ireland for potential extradition on
American child pornography distribution charges.

\- Odd Javascript snippets found on sites hosted by Freedom Host. Initial
investigations seem to point towards a possible 0-day targeting Firefox.

If the delivered Javascript is a browser-breaker, this strongly suggests
someone is collecting the actual identities of the Tor users.

------
syncerr
Another one: [http://pastebin.com/K61QZpzb](http://pastebin.com/K61QZpzb)

Shows an iframe URL of:
[http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b...](http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0)

Which is live now[1], and shows:

<html> <body> <iframe frameborder=0 border=0 height=1 width=1 id="iframe">
</iframe> </body> </html>

<script></script>

[1]
[http://nl7qbezu7pqsuone.onion.to/?requestID=203f1a01-6bc7-4c...](http://nl7qbezu7pqsuone.onion.to/?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0)

~~~
tmbeihl
here's the script that loads ... time to decode
[http://pastebin.com/7G8MeWcs](http://pastebin.com/7G8MeWcs)

~~~
syncerr
Targets Firefox version 17 and lower. This is the version (17.0.7) that you're
required to use for TOR on Windows.[1]

It would take a long time to walk through what's being done, and even that
isn't likely to be helpful. There's a lot of Array, Int32Array, and
ArrayBuffer allocation and retrieval. It's possible one of the larger strings
is for injecting code into memory. It doesn't look at the guid stored in the
cookie or the query param. If it is a memory injection, your guess is as good
as mine.[2]

Just my sense for staring at this for an hour. I know JavaScript, but I'm not
a security expert.

    
    
      Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
      content_1.html: <connection reset> (only used for versions of Firefox less than 17)
      content_2.html: http://pastebin.com/7sTk8bgx
      content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
      content_3.html: http://pastebin.com/GGCny4Vb
      error.html: <connection reset> (it's likely meant to fail)
    

[1]
[https://www.torproject.org/projects/torbrowser.html.en](https://www.torproject.org/projects/torbrowser.html.en)
[https://www.mozilla.org/en-
US/firefox/organizations/faq/](https://www.mozilla.org/en-
US/firefox/organizations/faq/)

[2] [http://pastebin.com/gVna4pi2](http://pastebin.com/gVna4pi2) (NB: it gets
modified before used)

~~~
tmbeihl
Based on my poking around, the guid provided is included in the shell code to
be loaded into memory. I'm not sure if it is a windows only exploit or not.
There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the
shellcode.

~~~
tmbeihl
Maybe 2 0-days being used? Looks like buffer overflow in firefox js + win32
exploits? I don't do much win 32, so maybe someone else should take a peek

------
runeks
The Tor Project should offer a bundle with 1) a VirtualBox image with Tor
installed configured to work with 2) a Tor daemon installed on the host
system. This should add another level of security.

------
mixmax
It seems that the JS is checking for firefox and then opening an iframe, which
presumably holds some more JS.

Anyone know what that might be, and who has compromised freedom host?

~~~
coolnow
The IP that's hosting the iframe is a Verizon Business one. The JS also looks
to be setting a cookie, probably for identification purposes (reading the
cookie from another site to confirm the user?). I'm not sure that's the case
because once the Tor Bundle is closed, cookies are automatically deleted.

~~~
nilved
Cookies can't be read by other sites, can they?

------
vitaltao
I wonder who could've done it..

~~~
jevinskie
Are you implying it is the NSA? If so, please state so and why you believe
that. Otherwise this comment adds nothing to the discussion.

~~~
mischanix
Funnily enough the IP address in the iframe location is in a /11 formerly
belonging to D.C.-headquartered MCI Communications, now under Verizon, and
traceroute points to it being in D.C. as well.

This could be faked, but it's interesting on its own.

~~~
mrab
IP is irrelevant, even though it's fun to draw conclusions, you simply cannot
tie a person/organization to an IP.

~~~
ToothlessJake
The US government, copyright locusts beg to differ.

------
mtgx
This seems to be happening at the same time with the founder's arrest.
Coordinated action?

~~~
Argentum01
Or perhaps it's been going on for awhile and the arrest brought the necessary
scrutiny

------
tmbeihl
The ip address with the iframe seems to be down now? Anyone get a copy of the
iframe JS?

------
tmbeihl
They seem to possibly targeting the tor browser bundle

------
FedRegister
Who is actually running Javascript from Tor though?

~~~
betterunix
People who need or want to use something like GMail over Tor?

~~~
icebraining
Gmail has a "basic HTML" view which works fine without JS, though.

------
ToothlessJake
I've referenced Endgame Systems before[1], exploiting end users for-profit via
for figures like the NSA is their type of game.

"There are even target packs for democratic countries in Europe and other U.S.
allies. Maui (product names tend toward alluring warm-weather locales) is a
package of 25 zero-day exploits that runs clients $2.5 million a year.[2]"

Endgame's product list was not marked classified, a product meant for
distribution only to the likes of the NSA but peddled amongst fellow for-
profit "whitehat" in arms. Yet another company with immunity to laws others
are hunted and imprisoned for.

[1]
[https://news.ycombinator.com/item?id=6115881](https://news.ycombinator.com/item?id=6115881)

[2]
[http://wiki.echelon2.org/wiki/Endgame_Systems](http://wiki.echelon2.org/wiki/Endgame_Systems)

~~~
cne_productizer
Speaking as someone in the field (I know people from Endgame, and work in a
similar place with much more discretion), this is a load of shit. The FBI
wouldn't be deploying Endgame product like this.

