Hacker News new | past | comments | ask | show | jobs | submit login
Tor Freedom Host compromised, JS injected into multiple sites (pastebin.com)
129 points by coolnow on Aug 4, 2013 | hide | past | favorite | 42 comments

I realize this marks me a failure as a hacker and a human being, but JavaScript is not my native tongue and Google Translate doesn't seem to have an option for it. Could someone please post some actual news about...whatever is happening?

Here's my current understanding:

- Freedom Host's founder arrested in Ireland for potential extradition on American child pornography distribution charges.

- Odd Javascript snippets found on sites hosted by Freedom Host. Initial investigations seem to point towards a possible 0-day targeting Firefox.

If the delivered Javascript is a browser-breaker, this strongly suggests someone is collecting the actual identities of the Tor users.

Another one: http://pastebin.com/K61QZpzb

Shows an iframe URL of: http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b...

Which is live now[1], and shows:

<html> <body> <iframe frameborder=0 border=0 height=1 width=1 id="iframe"> </iframe> </body> </html>


[1] http://nl7qbezu7pqsuone.onion.to/?requestID=203f1a01-6bc7-4c...

here's the script that loads ... time to decode http://pastebin.com/7G8MeWcs

Targets Firefox version 17 and lower. This is the version (17.0.7) that you're required to use for TOR on Windows.[1]

It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.[2]

Just my sense for staring at this for an hour. I know JavaScript, but I'm not a security expert.

  Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
  content_1.html: <connection reset> (only used for versions of Firefox less than 17)
  content_2.html: http://pastebin.com/7sTk8bgx
  content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
  content_3.html: http://pastebin.com/GGCny4Vb
  error.html: <connection reset> (it's likely meant to fail)
[1] https://www.torproject.org/projects/torbrowser.html.en https://www.mozilla.org/en-US/firefox/organizations/faq/

[2] http://pastebin.com/gVna4pi2 (NB: it gets modified before used)

Here's an annotated version of the code: http://pastebin.mozilla.org/2777139

It includes a hexdump of the shell code, showing it's building an HTTP request to somewhere. So it's likely identifying Tor users through non-Tor connections.

Based on my poking around, the guid provided is included in the shell code to be loaded into memory. I'm not sure if it is a windows only exploit or not. There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the shellcode.

Maybe 2 0-days being used? Looks like buffer overflow in firefox js + win32 exploits? I don't do much win 32, so maybe someone else should take a peek

Could the kind intelligence that decodes this post a play-by-play for us regular folk? Is the first step trying to trace the logic mentally? Building some kind of graph-based representation of the code and its calling behavior...? When I read var77, var78, var79... well, yea.

Might want to check these too:



The Tor Project should offer a bundle with 1) a VirtualBox image with Tor installed configured to work with 2) a Tor daemon installed on the host system. This should add another level of security.

It seems that the JS is checking for firefox and then opening an iframe, which presumably holds some more JS.

Anyone know what that might be, and who has compromised freedom host?

The IP that's hosting the iframe is a Verizon Business one. The JS also looks to be setting a cookie, probably for identification purposes (reading the cookie from another site to confirm the user?). I'm not sure that's the case because once the Tor Bundle is closed, cookies are automatically deleted.

Cookies can't be read by other sites, can they?

The cookie is set to expire after 30 minutes

I wonder who could've done it..

Are you implying it is the NSA? If so, please state so and why you believe that. Otherwise this comment adds nothing to the discussion.

Funnily enough the IP address in the iframe location is in a /11 formerly belonging to D.C.-headquartered MCI Communications, now under Verizon, and traceroute points to it being in D.C. as well.

This could be faked, but it's interesting on its own.

IP is irrelevant, even though it's fun to draw conclusions, you simply cannot tie a person/organization to an IP.

The US government, copyright locusts beg to differ.

So the founder of Tor Freedom is arrested and now this. Quite a coincidence. Maybe not NSA, but probably some kind of government agency. I think the best bet people can make these days is to assume that government is guilty and means to do nasty things - until proven otherwise.

Probably because they have a hard-on for snooping and TOR, by design, makes it extremely hard to correlate usage with a person without owning exit nodes and/or social engineering.

Realistically though, if the NSA were going to penetrate TOR, they would just own exit nodes and do social engineering. Bear in mind that the American government had a hand in building TOR to begin with.

That this appears to be so blatant suggests to me that it has nothing to do with surveillance at a state level.

Realistically they'd probably use a variety of approaches. Each approach could have its own limitations or be closed off without much notice. Wouldn't you want to hedge your bets?

Hedge against what, though?

Even if it isn't outside the realm of possibility, I don't think it's plausible for an organization that's supposedly powerful enough to monitor and archive all domestic and incoming electronic communication, when there's an entire ecosystem of hackers and skiddies out there anyway who do this kind of thing elsewhere all the time. JS in an iframe? XSS? Why would they even bother?

Edit -- turns out it might actually be the FBI... http://www.reddit.com/r/onions/comments/1jmrta/founder_of_th...

It is NSA[1]. No implication needed. FBI nabs host owner and suddenly code is injected to exploit all end users? Rather tired of people downplaying these events at every attempt. What does your comment add? At least the parent comment you are responding hinted at a potential suspect.

Perhaps he doesn't want to be hunted either directly implicating the US for the US's work.

Seriously, bring something to the discussion if you are going to be asking others to do the same.

By the way the person who started the site linked is being prosecuted by the DoJ[2], no doubt with others involved being hunted down as well. I'm sure there is no implications to any of this.

[1] http://wiki.echelon2.org/wiki/Endgame_Systems

[2] http://www.thenation.com/article/174851/strange-case-barrett...

It is not the NSA and endgame has no relevance at all.

Who is relevant then?

FBI, who happens to work as a conduit for the NSA, along with any number of the other acronym boys? Or the corporations they hire while handing out legal immunity for the actions they are hired for? Or Google and others who also accept payoffs and immunity for helping monitor the acronym boy's targets?

How is the various crony corporations publicizing these deeds as services not relevant? This is the subject of exploits being used on users of a host whose owner was arrested, correct?

I am readily awaiting a more logical answer than another contracted service like Endgame and their pool of exploits they are so ready to use on the non legally immune citizens of the world. Or companies like Google for going along with the dragnet monitoring and exploitation of dissidents.

All of them are connected by virtue of payoffs, insider trading, market manipulation. None of it is irrelevant.

Complete conjecture, but it's not that far a hop skip and jump to consider the possibility that Sabu's team in the FBI built and planted the JS.

This seems to be happening at the same time with the founder's arrest. Coordinated action?

Or perhaps it's been going on for awhile and the arrest brought the necessary scrutiny

The ip address with the iframe seems to be down now? Anyone get a copy of the iframe JS?

They seem to possibly targeting the tor browser bundle

Who is actually running Javascript from Tor though?

The Tor Browser Bundle enables Javascript by default.

Which is a mistake, and this shows why. Javascript should be default-off everywhere, and then if there's a Tor site you trust (oxymoron if I've ever heard one) then you enable Javascript.

People who need or want to use something like GMail over Tor?

Gmail has a "basic HTML" view which works fine without JS, though.

They can use the non-Javascript interface to set up IMAP/POP3 and then just use a POP client - no Javascript required.

I've referenced Endgame Systems before[1], exploiting end users for-profit via for figures like the NSA is their type of game.

"There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year.[2]"

Endgame's product list was not marked classified, a product meant for distribution only to the likes of the NSA but peddled amongst fellow for-profit "whitehat" in arms. Yet another company with immunity to laws others are hunted and imprisoned for.

[1] https://news.ycombinator.com/item?id=6115881

[2] http://wiki.echelon2.org/wiki/Endgame_Systems

Speaking as someone in the field (I know people from Endgame, and work in a similar place with much more discretion), this is a load of shit. The FBI wouldn't be deploying Endgame product like this.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact