Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2022-01-11T19:33:24Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13065counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / v...2022-01-11T19:33:24Zpropercounter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions fileSecurely downloading https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions solely relies on SSL, is currently neither signed, nor gets verified by Tor Button.
This is problematic, because should torproject.org's web serv...Securely downloading https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions solely relies on SSL, is currently neither signed, nor gets verified by Tor Button.
This is problematic, because should torproject.org's web server or CA be compromised one day, applications such as Tor Button and [torbrowser-launcher](https://github.com/micahflee/torbrowser-launcher) could be fooled into using an outdated and/or malicious RecommendedTBBVersions file.
Suggestion: could you please,
1) provide a signed version of RecommendedTBBVersions,
2) verify RecommendedTBBVersions in Tor Button.
To prevent downgrade and stale mirror attacks, the signature would have to be renewed after every X weeks, and rejected by the verification mechanism [+ user notification] if is is too old. (Similar to [Valid-Until](http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html) / legacy/trac#9810.)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13055RPATH is still available for libgmpxx.so* on Linux2022-01-11T19:33:18ZGeorg KoppenRPATH is still available for libgmpxx.so* on Linuxtesting with the checksec script shows that RPATH is still available for the libgmpxx shared library on Linux.testing with the checksec script shows that RPATH is still available for the libgmpxx shared library on Linux.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13033Apply mixed content blocking patch?2022-03-21T20:33:11ZMike PerryApply mixed content blocking patch?There is a mostly-finished patch to improve the mixed content blocker to properly handle redirects. This patch would allow many more HTTPS-Everywhere rules to work properly with the Mixed Content Blocker enabled. We should see if we can ...There is a mostly-finished patch to improve the mixed content blocker to properly handle redirects. This patch would allow many more HTTPS-Everywhere rules to work properly with the Mixed Content Blocker enabled. We should see if we can help clean this patch up, if nothing else to make it work for us.
https://bugzilla.mozilla.org/show_bug.cgi?id=878890https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13031Provide full RELRO protection on Linux2022-01-11T19:33:18ZMike PerryProvide full RELRO protection on LinuxOur fix in legacy/trac#12103 to provide RELRO protection causes checksec to report "partial" hardening. We need to figure out what that means and why it claims its only partial.Our fix in legacy/trac#12103 to provide RELRO protection causes checksec to report "partial" hardening. We need to figure out what that means and why it claims its only partial.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12950Backport Windows ASLR forcing patch2022-03-21T20:29:03ZMike PerryBackport Windows ASLR forcing patchMozilla implemented a hack for forcing ASLR on DLLs that do not support it. They opted to land it in FF32 instead of FF31ESR. We should backport this patch:
https://bugzilla.mozilla.org/show_bug.cgi?id=677797Mozilla implemented a hack for forcing ASLR on DLLs that do not support it. They opted to land it in FF32 instead of FF31ESR. We should backport this patch:
https://bugzilla.mozilla.org/show_bug.cgi?id=677797https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12941Firefox is already running.2022-01-11T19:33:18ZMatt PaganFirefox is already running.The full error message is reported as "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system." This happens when the user tries to Start Tor Bro...The full error message is reported as "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system." This happens when the user tries to Start Tor Browser after previously closing it normally. The error blocks Tor Browser from launching.
This error has been reported on both Windows and Mac.
Tor Browser is on the Desktop.
User reports that they can indeed find a lingering Firefox.exe process in task manager after Tor Browser has already been closed, and that killing the process allows them to start Tor Browser successfully.
The contents of the Data/Browser/profile.default folder are listed below:
bookmarkbackups File folder 8/22/2014 9:52:45 PM 5/22/2014 6:40:12 AM
extensions File folder 8/23/2014 9:40:31 AM 5/22/2014 6:36:45 AM
HTTPSEverywhereUserRules File folder 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM
preferences File folder 5/22/2014 6:36:46 AM 5/22/2014 6:36:46 AM
safebrowsing File folder 8/23/2014 9:34:28 AM 8/23/2014 9:34:28 AM
startupCache File folder 8/23/2014 9:38:53 AM 8/1/2014 5:02:52 AM
thumbnails File folder 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM
webapps File folder 8/23/2014 9:34:24 AM 5/22/2014 6:40:12 AM
blocklist.xml xml 131 KB XML Document 8/23/2014 9:42:27 AM 5/22/2014 6:46:15 AM
bookmarks.html html 4 KB Opera Web Document 12/31/1999 8:00:00 PM 12/31/1999 8:00:00 PM
cert8.db db 64 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM
compatibility.ini ini 1 KB Configuration settings 8/1/2014 5:02:51 AM 5/22/2014 6:39:55 AM
cookies.sqlite sqlite 512 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:39:56 AM
cookies.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:20 AM 8/23/2014 8:35:09 AM
cookies.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 8:35:09 AM 8/23/2014 8:35:09 AM
downloads.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:40:24 AM 5/22/2014 6:40:24 AM
extensions.ini ini 1 KB Configuration settings 7/31/2014 7:23:44 AM 7/31/2014 7:23:40 AM
extensions.sqlite sqlite 448 KB SQLITE File 7/31/2014 7:23:40 AM 5/22/2014 6:39:55 AM
formhistory.sqlite sqlite 192 KB SQLITE File 6/29/2014 9:30:11 AM 6/29/2014 9:30:11 AM
key3.db db 16 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM
localstore.rdf rdf 3 KB RDF File 8/23/2014 6:50:53 PM 8/23/2014 6:50:53 PM
marionette.log log 1 KB Text Document 8/23/2014 9:34:23 AM 5/22/2014 6:39:59 AM
mimeTypes.rdf rdf 4 KB RDF File 5/22/2014 6:40:12 AM 5/22/2014 6:40:12 AM
parent.lock lock 0 LOCK File 8/23/2014 9:34:19 AM 5/22/2014 6:39:55 AM
places.sqlite sqlite 10,240 KB SQLITE File 8/22/2014 10:54:40 AM 5/22/2014 6:40:12 AM
places.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:24 AM 8/23/2014 8:35:15 AM
places.sqlite-wal sqlite-wal 65 KB SQLITE-WAL File 8/23/2014 10:00:13 AM 8/23/2014 8:35:15 AM
pluginreg.dat dat 1 KB DAT File 7/10/2014 8:13:56 AM 7/10/2014 8:13:56 AM
prefs.js js 6 KB JScript Script File 8/23/2014 7:10:30 PM 8/23/2014 7:10:30 PM
search.json json 21 KB JSON File 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM
secmod.db db 16 KB Data Base File 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM
Telemetry.FailedProfileLocks.txt txt 1 KB Text Document 8/23/2014 9:33:58 AM 7/27/2014 4:10:19 PM
webappsstore.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:40:14 AM
webappsstore.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AM
webappsstore.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AMhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12827Create preference to disable SVG2022-01-11T19:33:18ZMike PerryCreate preference to disable SVGWe should have a way to disable SVG suport in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.We should have a way to disable SVG suport in Firefox for the security slider. There currently is no pref in Firefox for this, so we will need to create one.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12820Test+Recommend Tor Browser with MS EMET (Enhanced Mitigation Experience Toolkit)2022-03-21T20:28:46ZMike PerryTest+Recommend Tor Browser with MS EMET (Enhanced Mitigation Experience Toolkit)The Enhanced Mitigation Experience Tookit is a Microsoft tool for further hardening selected applications against exploitation. We should test it with Tor Browser to see if it impacts functionality in any way, and if not, we should consi...The Enhanced Mitigation Experience Tookit is a Microsoft tool for further hardening selected applications against exploitation. We should test it with Tor Browser to see if it impacts functionality in any way, and if not, we should consider recommending it somewhere prominently for our Windows users.
https://support.microsoft.com/kb/2458544https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12736DLL hijacking vulnerability in TBB2022-03-21T20:28:30ZTracDLL hijacking vulnerability in TBBThe current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable.
Steps to reproduce:
1) Create a malicious dll (source code for example is added)
2) Rename the malicious dll to ".DLL" using the commandline to...The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable.
Steps to reproduce:
1) Create a malicious dll (source code for example is added)
2) Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names
3) Place ".DLL" into a folder listed in the %PATH% environment variable
4) Start DbgView.exe (a tool from microsoft) to get text outputs from the dll
5) Start Tor Browser Bundle
You will now see something similiar to:
HIJACKDLL (C:\...\.DLL) Started from: C:\...\TorBrowser\Browser\firefox.exe as user Admin
This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible. http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html
Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.
".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)
Tested on:
Win7x64
Tor Browser 3.6.3-Windows
**Trac**:
**Username**: underdogehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12523Backport Firefox patch to mark JIT pages as non-writable2022-01-11T19:33:18ZGeorg KoppenBackport Firefox patch to mark JIT pages as non-writableWe might get away with keeping JIT enabled as long as we mark JIT pages as non-writable. For a patch and the underlying discussion see: https://bugzilla.mozilla.org/show_bug.cgi?id=977805.We might get away with keeping JIT enabled as long as we mark JIT pages as non-writable. For a patch and the underlying discussion see: https://bugzilla.mozilla.org/show_bug.cgi?id=977805.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12516Compile Tor Browser with -fwrapv/-fno-strict-overflow2022-01-11T19:33:18ZGeorg KoppenCompile Tor Browser with -fwrapv/-fno-strict-overflowWe should compile Tor Browser with -fwrapv/-fno-strict-overflow to tell the compiler that signed integer overflow is defined behavior.
See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1031653
http://www.airs.com/blog/archives/120We should compile Tor Browser with -fwrapv/-fno-strict-overflow to tell the compiler that signed integer overflow is defined behavior.
See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1031653
http://www.airs.com/blog/archives/120https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12430Disable the jar: protocol for external resources via preference2022-01-11T19:33:18ZGeorg KoppenDisable the jar: protocol for external resources via preferenceWe should add a preference that controls whether remote .jar files are opened by Tor Browser's jar: protocol handler and set the default value to not allow such actions.We should add a preference that controls whether remote .jar files are opened by Tor Browser's jar: protocol handler and set the default value to not allow such actions.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12429Enable Assertions in Tor Browser release builds2022-03-21T20:25:34ZGeorg KoppenEnable Assertions in Tor Browser release buildsWe should enable assertions in Tor Browser release builds. At least in historically-vulnerable components.We should enable assertions in Tor Browser release builds. At least in historically-vulnerable components.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12427Investigate Virtual Table Verification (VTV) hardening for Tor Browser on Lin...2022-03-21T20:25:23ZGeorg KoppenInvestigate Virtual Table Verification (VTV) hardening for Tor Browser on Linux and WindowsVTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Linux and Windows as we are using GCC for (cross-)compiling. We should investigate that and fix p...VTV (see: https://gcc.gnu.org/wiki/vtv) is a hardening feature introduced in GCC 4.9.0 which might be usable for our Tor Browser builds for Linux and Windows as we are using GCC for (cross-)compiling. We should investigate that and fix possible roadblocks.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12426Make use of HeapEnableTerminationOnCorruption in Tor Browser on Windows2022-01-11T19:33:18ZGeorg KoppenMake use of HeapEnableTerminationOnCorruption in Tor Browser on WindowsThis function gets defined in ipc/chromium/src/base/process_util* but is only used in the test suite: https://mxr.mozilla.org/mozilla-esr24/source/ipc/chromium/src/base/test_suite.h. We should make more use of it in the code itself. See:...This function gets defined in ipc/chromium/src/base/process_util* but is only used in the test suite: https://mxr.mozilla.org/mozilla-esr24/source/ipc/chromium/src/base/test_suite.h. We should make more use of it in the code itself. See: https://blogs.msdn.com/b/oldnewthing/archive/2013/12/27/10484882.aspx for more information.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12425Investigate setjmp/longjmp-based exception handling for Tor Browser on Windows2022-03-21T20:24:55ZGeorg KoppenInvestigate setjmp/longjmp-based exception handling for Tor Browser on WindowsAs GCC does not implement Structured Exception Handling (SEH) we might want to enable setjmp/longjmp-based exception handling for Tor Browser on Windows. We should do this at least if there are no other exception handling mechanisms enab...As GCC does not implement Structured Exception Handling (SEH) we might want to enable setjmp/longjmp-based exception handling for Tor Browser on Windows. We should do this at least if there are no other exception handling mechanisms enabled by Windows.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12420Investigate deploying STACK to check for optimization-unstable code2022-03-21T20:24:15ZGeorg KoppenInvestigate deploying STACK to check for optimization-unstable codeOptimization-unstable code (code that is unexpectedly eliminated by compiler optimizations due to undefined behavior in the program) can lead to serious bugs in programs. We should think about deploying STACK, which helps to detect this ...Optimization-unstable code (code that is unexpectedly eliminated by compiler optimizations due to undefined behavior in the program) can lead to serious bugs in programs. We should think about deploying STACK, which helps to detect this class of bugs, when building our hardened bundles at least. Relevant reading material:
http://kqueue.org/blog/2013/09/17/cltq/
http://css.csail.mit.edu/stack/
http://pdos.csail.mit.edu/papers/stack:sosp13.pdf
http://pdos.csail.mit.edu/papers/ub:apsys12.pdfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/12418TBBs with UBSan create lots of errors when running2022-03-21T20:23:46ZGeorg KoppenTBBs with UBSan create lots of errors when runningWhen running TBBs (based on ESR 24) built with UBSan we get loads of errors which look like:
```
/home/ubuntu/build/tor-browser/js/src/jsobj.cpp:1008:17: runtime error: load of value 120, which is not a valid value for type 'bool'
pkix_p...When running TBBs (based on ESR 24) built with UBSan we get loads of errors which look like:
```
/home/ubuntu/build/tor-browser/js/src/jsobj.cpp:1008:17: runtime error: load of value 120, which is not a valid value for type 'bool'
pkix_pl_object.c:580:31: runtime error: left shift of 4276994303 by 32 places cannot be represented in type 'long int'
/home/ubuntu/build/tor-browser/db/sqlite3/src/sqlite3.c:62742:22: runtime error: left shift of 173 by 24 places cannot be represented in type 'int'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:4861:53: runtime error: load of value 128, which is not a valid value for type 'bool'
/home/ubuntu/build/tor-browser/layout/style/../base/nsStyleConsts.h:27:12: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:6181:3: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:7962:5: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/dom/workers/Workers.h:81:18: runtime error: load of value 4294967295, which is not a valid value for type 'JSGCParamKey'
/home/ubuntu/build/tor-browser/dom/workers/Workers.h:135:23: runtime error: load of value 4294967295, which is not a valid value for type 'JSGCParamKey'
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/11511Investigate why TorLauncher is sometimes not loaded when starting TBB2022-01-11T19:33:18ZGeorg KoppenInvestigate why TorLauncher is sometimes not loaded when starting TBBNot sure how to frame this but it seems there is the possibility that the Tor Browser Bundle is not proper working at least on some Linux machines: on #tor on Saturday there was a user, aurel, who extracted a fresh 64bit TBB 3.5.4 but co...Not sure how to frame this but it seems there is the possibility that the Tor Browser Bundle is not proper working at least on some Linux machines: on #tor on Saturday there was a user, aurel, who extracted a fresh 64bit TBB 3.5.4 but could not start browsing. The reason was that about:addons showed a missing TorLauncher. We should investigate how this can happen.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/11096Randomize MAC address before start of Tor2022-01-11T19:33:18ZTracRandomize MAC address before start of TorI realize this is a tricky ask, as changing the MAC address of a computer requires root privileges. However, I think it is worth finding a suitable way of doing this.
Based on analysis of court documents and conversations with people in...I realize this is a tricky ask, as changing the MAC address of a computer requires root privileges. However, I think it is worth finding a suitable way of doing this.
Based on analysis of court documents and conversations with people in the government malware industry, it is my understanding that US government malware that has targeted Tor users (via TBB exploits) has specifically sought out the MAC address of the infected target's machine. Knowing the MAC address allows the government, at a later date, to verify that the machine they probed with their malware is the same device as the one they have seized through a raid of the person's home or office.
As long as the government is going to use the MAC address as a unique identifier, we might as well try to make it difficult for them.
**Trac**:
**Username**: csoghoian