Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser
11.9.2018 securityaffairs
Exploit

Zero-day broker Zerodium has disclosed a NoScript vulnerability that could be exploited by attackers to execute arbitrary JavaScript code in the Tor Browser.

NoScript is a popular Firefox extension that protects users against malicious scripts, it only allows the execution of JavaScript, Java, and Flash plugins on trusted websites

Bug broker Zerodium has discovered a NoScript vulnerability that could be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum level is used. The exploit bypasses the protection implemented by NoScript.

The company also provided instruction to exploit the flaw in the following Twitter message:

Zerodium

@Zerodium
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

2:23 PM - Sep 10, 2018
1,043
921 people are talking about this
Twitter Ads info and privacy
Security researcher @x0rz also posted a proof of concept script to show that is very easy to exploit the flaw.

x0rz
@x0rz
Very easy to reproduce the Zerodium Tor Browser 7.x NoScript bypass vulnerability https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795 … #TorBrowser #vulnerability

4:10 PM - Sep 10, 2018
671
452 people are talking about this
Twitter Ads info and privacy
The latest version of the Tor Browser 8 is not affected, this means that users have to update their oldest versions as soon as possible.

The flaw resides in the NoScript Firefox extension and affects the Tor Browser that is based on Firefox.

The Italian hacker Giorgio Maone that developed the extension patched the bug in a couple of hours and addressed the problem with the release of the version 5.1.8.7.

Giorgio Maone
@ma1
· Sep 10, 2018
Replying to @ma1
Fixed in 5.1.8.7 "Classic": https://noscript.net/getit#classic

You may need to open about:config and set your xpinstall.signatures.required to false in order to install, since Mozilla doesn't support signing for "Classic" (legacy) add-ons anymore.

Giorgio Maone
@ma1
I said FIXED, guys :)
Get 5.1.8.7 here:http://noscript.net/getit#classic

4:27 PM - Sep 10, 2018
17
See Giorgio Maone's other Tweets
Twitter Ads info and privacy
Maone explained that only the “Classic” branch of NoScript 5 is impacted, according to the expert the flaw was introduced in May 2017 with the release of NoScript 5.0.4.

It exists due to a “work-around for NoScript blocking the in-browser JSON viewer.”

Tor Browser flaw

Tor Project team pointed out that this bug is a Tor Browser zero-day flaw, instead of a NoScript issue.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek.

Bekrar confirmed to have acquired the zero-day vulnerability “many months ago” and shared it with law enforcement and government customers.

The worrying news is that Bekrar confirmed to have acquired “high-end Tor exploits” as part of its bug bounty program. In September the ZERODIUM announced it will pay up to $1 million for fully working zero-day exploits for Tor Browser on Tails Linux and Windows OSs.

Bekrar highlighted that the exploits have been used by its customers to “fight crime and child abuse, and make the world a better and safer place for all.”

Don’t waste time, upgrade your browser to the newest release.