Firefox Zero-Day Used in Child Porn Hunt?

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser — an online anonymity tool powered by Firefox 17.

Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors.

The Tor Browser bundle also is the easiest way to find Web sites that do not want to be easily taken down, such as the Silk Road (a.k.a. the “eBay of hard drugs“) and sites peddling child pornography.

On Saturday, Aug. 3, 2013, Independent.ie, an Irish news outlet, reported that U.S. authorities were seeking the extradition of Eric Eoin Marques, a 28-year-old with Irish and American citizenship reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” According to the Independent, Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online.

The Tor Project’s blog now carries a post noting that at approximately midnight on August 4th “a large number of hidden service addresses disappeared from the Tor Network, sites that appear to have been tied to an organization called Freedom Hosting — a hosting service run on the Tor Network allegedly by Marques.

Hidden services can be used to run a variety of Web services that are not directly reachable from a normal Internet connection — from FTP and IRC servers to Web sites. As such, the Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them.

“There are rumors that a hosting company for hidden services is suddenly offline and/or has been breached and infected with a javascript exploit,” writes “phobos,” a Tor Project blogger. Phobos notes that the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research, and continues:

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

Even if the claimed vulnerability is limited to Firefox version 17, such a flaw would impact far more than just Tor bundle users. Mozilla says it has been notified of a potential security vulnerability in Firefox 17, which is currently the extended support release (ESR) version of Firefox. Last year, Mozilla began offering an annual ESR of Firefox for enterprises and others who didn’t want to have to keep up with the browser’s new rapid release cycle.

“We are actively investigating this information and we will provide additional information when it becomes available,” Michael Coates, director of security assurance at Mozilla, wrote in a brief blog post this evening.

Ofir David, head of intelligence for Israeli cybersecurity firm Cyberhat, said he believes the now-public exploit code is indeed related to Marques’ arrest.  David said someone appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. If so, the code silently redirects that visitor’s browser to another site which generates a unique identifier called a ‘UUID.'”

David said that although the exploit can be used to download and run malicious code on the visitor’s computer, whoever infiltrated Freedom Hosting appear to have only used the exploit to gather the true Internet addresses of people visiting the child porn sites hosted there.

“Ironically, all [the malicious code] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID,” David said. “That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

For more on this developing story, check out this Reddit thread. Also, Mozilla has an open Bugzilla entry analyzing the exploit code.

Update, Aug. 5, 1:45 a.m. ET: Reverse engineer Vlad Tsrklevich has posted a brief analysis of what the exploit does. His conclusion (which seems sound):  “Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an [law enforcement agency] and not by blackhats.”

Also, here’s a bit more from Mozilla’s security lead Dan Veditz on the vulnerability:

“The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.”

Update, Aug. 5, 4:08 p.m., ET: Kevin Poulsen from Wired.com notes that, according to a domaintools.com lookup, the IP address used by the malicious script’s controllers found by Tsrklevich resolves to a Verizon address space that is managed by Science Applications International Corp. (SAIC), an American defense contractor headquartered in Tysons Corner, Va.