Zero-day broker Zerodium has disclosed a NoScript vulnerability that could be exploited by attackers to execute arbitrary JavaScript code in the Tor Browser.

Zero-day broker Zerodium has disclosed a NoScript vulnerability that could be exploited by attackers to execute arbitrary JavaScript code in the Tor Browser.

NoScript is a popular Firefox extension that protects users against malicious scripts, it only allows the execution of JavaScript, Java, and Flash plugins on trusted websites

Bug broker Zerodium has discovered a NoScript vulnerability that could be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum level is used. The exploit bypasses the protection implemented by NoScript.

The company also provided instruction to exploit the flaw in the following Twitter message:

Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).

PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected. — Zerodium (@Zerodium) September 10, 2018

Security researcher @x0rz also posted a proof of concept script to show that is very easy to exploit the flaw.

The latest version of the Tor Browser 8 is not affected, this means that users have to update their oldest versions as soon as possible.

The flaw resides in the NoScript Firefox extension and affects the Tor Browser that is based on Firefox.

The Italian hacker Giorgio Maone that developed the extension patched the bug in a couple of hours and addressed the problem with the release of the version 5.1.8.7.

I said FIXED, guys 🙂

Get 5.1.8.7 here:https://t.co/0h5BHFexTw — Giorgio Maone (@ma1) September 10, 2018

Maone explained that only the “Classic” branch of NoScript 5 is impacted, according to the expert the flaw was introduced in May 2017 with the release of NoScript 5.0.4.

It exists due to a “work-around for NoScript blocking the in-browser JSON viewer.”

Tor Project team pointed out that this bug is a Tor Browser zero-day flaw, instead of a NoScript issue.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek.

Bekrar confirmed to have acquired the zero-day vulnerability “many months ago” and shared it with law enforcement and government customers.

The worrying news is that Bekrar confirmed to have acquired “high-end Tor exploits” as part of its bug bounty program. In September the ZERODIUM announced it will pay up to $1 million for fully working zero-day exploits for Tor Browser on Tails Linux and Windows OSs.

Bekrar highlighted that the exploits have been used by its customers to “fight crime and child abuse, and make the world a better and safer place for all.”

Don’t waste time, upgrade your browser to the newest release.

Pierluigi Paganini

( Security Affairs – Zerodium, Tor browser)

Share this...

Linkedin Reddit Pinterest

Share On