Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2022-01-11T19:31:56Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23661Set content sandbox for Tor Browser on Windows to level 22022-01-11T19:31:56ZGeorg KoppenSet content sandbox for Tor Browser on Windows to level 2In legacy/trac#16010 we prepared a patch for enabling content sandboxing for Tor Browser on Windows. We started with level 1. We should try if we can switch to level 2 without much issues.In legacy/trac#16010 we prepared a patch for enabling content sandboxing for Tor Browser on Windows. We started with level 1. We should try if we can switch to level 2 without much issues.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23660Handle exceptions in content sandboxing code for Tor Browser on Windows properly2022-11-30T14:58:29ZGeorg KoppenHandle exceptions in content sandboxing code for Tor Browser on Windows properlyAt the moment we just rip out the SEH parts of the content sandboxing code as mingw-w64 has trouble handling it. We should provide a proper fix for it, though.At the moment we just rip out the SEH parts of the content sandboxing code as mingw-w64 has trouble handling it. We should provide a proper fix for it, though.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23659Clean-up content sandboxing code for Tor Browser on Windows2022-01-11T19:31:56ZGeorg KoppenClean-up content sandboxing code for Tor Browser on WindowsJacek wrote back then a PoC to get the Tor Browser content sandbox compiled for Windows. We should go thoroughly over the that code and clean it up.
We already shipped two fix up patches to the original patch:
https://gitweb.torproject...Jacek wrote back then a PoC to get the Tor Browser content sandbox compiled for Windows. We should go thoroughly over the that code and clean it up.
We already shipped two fix up patches to the original patch:
https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.3.0esr-7.5-2&id=2354d122644d82df54d655ece5b42bdfa4cf38f8
https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.4.0esr-7.5-1&id=0a9793458e9ddd5c7742d3ceb250125c52e8bf86https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23658Improve content sandboxing Tor Browser users on Windows2022-06-23T01:46:12ZGeorg KoppenImprove content sandboxing Tor Browser users on WindowsIn 7.5a5 a Windows content sandbox ships for the first time. This ticket is a parent ticket for documenting and fixing the remaining loose ends resulting in an improved Tor Browser content sandbox on WindowsIn 7.5a5 a Windows content sandbox ships for the first time. This ticket is a parent ticket for documenting and fixing the remaining loose ends resulting in an improved Tor Browser content sandbox on Windowshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23591Build Tor and Tor Browser with -mmitigate-rop2022-01-11T19:31:56ZcypherpunksBuild Tor and Tor Browser with -mmitigate-ropGCC 6 has a new option, `-mmitigate-rop`, which modifies the generated code to make finding ROP gadgets a bit harder. This is _not_ CFI and does not provide strong protections, but it's better than nothing and is easier to use than alter...GCC 6 has a new option, `-mmitigate-rop`, which modifies the generated code to make finding ROP gadgets a bit harder. This is _not_ CFI and does not provide strong protections, but it's better than nothing and is easier to use than alternatives, given that it doesn't require modifying source code for compatibility or loading a new runtime.
>-mmitigate-rop
> Try to avoid generating code sequences that contain unintended
> return opcodes, to mitigate against certain forms of attack. At the
> moment, this option is limited in what it can do and should not be
> relied on to provide serious protection.
I suppose someone should try compiling Tor with this and scan for ROP gadgets using popular ROP compilers on it.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23409Review past year's Firefox sec bugs and update security slider settings if ne...2022-01-11T19:31:56ZGeorg KoppenReview past year's Firefox sec bugs and update security slider settings if necessary (2016/7)This is the yearly sec bug review and potential update of the security slider if needed. This time for 2016/7.This is the yearly sec bug review and potential update of the security slider if needed. This time for 2016/7.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23396Update the msvcr100.dll we ship in Tor Browser2022-01-11T19:31:56ZGeorg KoppenUpdate the msvcr100.dll we ship in Tor BrowserIt turns out we ship a not-up-to-date `msvcr100.dll` in Tor Browser (see comment:description:ticket:23390). We should fix that.
We might want to think about updating to `msvcp140.dll` as Mozilla ships that one with Firefox ESR 52. Not s...It turns out we ship a not-up-to-date `msvcr100.dll` in Tor Browser (see comment:description:ticket:23390). We should fix that.
We might want to think about updating to `msvcp140.dll` as Mozilla ships that one with Firefox ESR 52. Not sure whether that's actually worthwhile or not.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23362consider performing network operations in a dedicated process2023-01-05T16:13:48Zcypherpunksconsider performing network operations in a dedicated processESR59 will have approx. 8 processes, excluding content processes. And it makes sense to run them all in strong sandboxes without network access. To achieve this it could be helpful to discuss and coordinate this work with Mozilla in http...ESR59 will have approx. 8 processes, excluding content processes. And it makes sense to run them all in strong sandboxes without network access. To achieve this it could be helpful to discuss and coordinate this work with Mozilla in https://bugzilla.mozilla.org/show_bug.cgi?id=1322426.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23214Defend against stack overflow due to overly deep nested (unclosed) XML tags a...2023-01-05T17:20:54ZGeorg KoppenDefend against stack overflow due to overly deep nested (unclosed) XML tags and similar vectorsThere are several ways to get Tor Browser crashed due to missing mitigations while dealing with overly deep nested XML tags (see: https://bugzilla.mozilla.org/show_bug.cgi?id=485941 for an example). For Mozilla this is just annoying but ...There are several ways to get Tor Browser crashed due to missing mitigations while dealing with overly deep nested XML tags (see: https://bugzilla.mozilla.org/show_bug.cgi?id=485941 for an example). For Mozilla this is just annoying but depending on the circumstances we might come to a different conclusion due to our different threat model.
We should try to come up with something that handles those cases more gracefully and in a less dangerous way.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22985Can we simplify and clarify click-to-play of audio/video?2023-01-05T17:37:48ZArthur EdelsteinCan we simplify and clarify click-to-play of audio/video?Right now click-to-play of videos is quite cumbersome and has poor usability. For example on youtube, this is what I observe on Medium Security.
* On first page load, no video or audio is visible -- the video box is gray. A "musical not...Right now click-to-play of videos is quite cumbersome and has poor usability. For example on youtube, this is what I observe on Medium Security.
* On first page load, no video or audio is visible -- the video box is gray. A "musical notes" icon appears in the middle of the video box, and an "orbiting dots" indicator seems to indicate some problem loading. After a few seconds the video box goes black and it says "an error occured." Then after another few seconds the "musical notes" icon reappears.
* If I click on the "musical notes" icon, then a confirmation box appears, that says "Temporarily allow ... [URLs and codec gibberish]". If I click OK, then the whole page reloads. Again I get a gray video box with orbiting dots. This time there is a film canister icon in the middle of the dots.
* If I click on the film canister it says, "Temporarily allow [URL and more codec gibberish]". again I click OK, the page reloads and the video finally plays.
So here, click-to-play required two clicks and two reloads (plus confirmation clicks). Ideally it should require only one reload. The option to click to play the video should be much more clear (it should probably have the text "Click to Play"). The click-to-play button shouldn't disappear when the youtube page tries to re-load the video. If a confirmation prompt is to be shown, then it should clearly explain to the user that video/audio is about to be loaded, and what the security concerns are.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22974NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution2023-01-05T17:19:55ZTom Rittertom@ritter.vgNoScript (and Tor Browser) vulnerable to Mozilla Add-On Code ExecutionPer legacy/trac#22966 it sounds like NoScript is not signed with a developer key (the 'updateKey' feature described here: https://developer.mozilla.org/en-US/Add-ons/Install_Manifests#updateKey )
updateKey allows the extension developer...Per legacy/trac#22966 it sounds like NoScript is not signed with a developer key (the 'updateKey' feature described here: https://developer.mozilla.org/en-US/Add-ons/Install_Manifests#updateKey )
updateKey allows the extension developer to require updates be signed with a key only they control. Without it, Mozilla can rewrite extensions and effectively get arbitrary code execution via an add-on.
There's a few things at play here.
1) We could disable add-on updating all together to mitigate this in 52.
2) In 59, when the only 'full' add-ons are 'system' add-ons we'll need to figure this out ourselves anywhere. This will probably involve Tor signing Tor Launcher and TorButton with its own system add-on keys. Dev Tools is an open question.
3) In 59, when Web Extensions are around this won't be as big of a concern. Mozilla can't get code execution but could neuter the effect of an add-on or turn it into spyware (assuming we keep extension updating in place). Whether web extensions will support an updateKey mechanism is an open question (they don't now, EFF wants it. Tor might wish to lend support to the argument. If Tor could get another partner repack to join in that would help even more I bet.)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22971The XPI signing mechanism needs to use different hash functions.2022-06-23T01:18:52ZYawning AngelThe XPI signing mechanism needs to use different hash functions.https://wiki.mozilla.org/Add-ons/Extension_Signing
Signing 2 hashes of a manifest file containing 2 hashes each of every file in an archive, especially when "2 hashes" is MD5 and SHA1 is cryptographically unsound.
See Joux, A., "Mult...https://wiki.mozilla.org/Add-ons/Extension_Signing
Signing 2 hashes of a manifest file containing 2 hashes each of every file in an archive, especially when "2 hashes" is MD5 and SHA1 is cryptographically unsound.
See Joux, A., "Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions".https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22794Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.2022-01-11T19:31:56ZYawning AngelDon't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured.Discovered when trying to resolve legacy/trac#20775.
Unsandboxed Tor Browser 7.0.1:
```
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 67
fcntl(67, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(67, F_SETFL, O_RDWR|O_NONBLOCK) =...Discovered when trying to resolve legacy/trac#20775.
Unsandboxed Tor Browser 7.0.1:
```
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 67
fcntl(67, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(67, F_SETFL, O_RDWR|O_NONBLOCK) = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 68
close(68) = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 68
fcntl(68, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(68, F_SETFL, O_RDWR|O_NONBLOCK) = 0
close(68) = 0
setsockopt(67, SOL_TCP, TCP_NODELAY, [1], 4) = 0
socket(AF_UNIX, SOCK_STREAM, 0) = 68
fcntl(68, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(68, F_SETFL, O_RDWR|O_NONBLOCK) = 0
close(67) = 0
connect(68, {sa_family=AF_UNIX, sun_path="/var/run/tor/socks"}, 106) = 0
```
If the first `socket` (`AF_INET`) call fails (as it will due to seccomp-bpf) the AF_LOCAL socket never gets created, and pages don't load. The failure mode doesn't appear to depend on `errno` (at least, it didn't make a difference if it was `ENOSYS` or `EAFNOSUPPORT`).
Using IPC should mean, "Tor Browser uses IPC, and only IPC", and not "Tor Browser refuses to work if non-IPC socket creation fails", because the whole point of using IPC in the first place is so that Tor Browser can be ran in a way that disallows non-IPC connections.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22699Use browser pref for javascript at High Security Level2022-01-11T19:31:56ZMike PerryUse browser pref for javascript at High Security LevelIt would be wise to set javascript.enabled to false in about:config at the high security level, in addition to having NoScript disable scripting for us. This should be an easy change, and there is no reason to exclusively depend on NoScr...It would be wise to set javascript.enabled to false in about:config at the high security level, in addition to having NoScript disable scripting for us. This should be an easy change, and there is no reason to exclusively depend on NoScript. NoScript could miss something, especially if the e10s transition caused a lot of upheaval.
(Similarly, Firefox could miss something, since javascript.enabled is no longer a UI-exposed pref, so we should do both, for defense in depth.)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22584More RWX memory pages for TBB on some Windows versions2022-11-30T16:58:09ZArthur EdelsteinMore RWX memory pages for TBB on some Windows versionsA cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14A cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22563Many memory pages in tor.exe for Windows violate W^X2022-01-11T19:31:56ZArthur EdelsteinMany memory pages in tor.exe for Windows violate W^XA cypherpunk (ticket:21617#comment:5) has reported that the tor.exe process in the Tor Expert Bundle on Windows has many `Execute/Read/Write` memory pages. I also observe the same thing for Tor Browser's tor.exe process. Also, there are...A cypherpunk (ticket:21617#comment:5) has reported that the tor.exe process in the Tor Expert Bundle on Windows has many `Execute/Read/Write` memory pages. I also observe the same thing for Tor Browser's tor.exe process. Also, there are many `Execute/Copy on Write` pages, which I suspect, after reading [Microsoft documentation](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx#PAGE_EXECUTE_WRITECOPY), are also effectively `W^X` violations.
To reproduce on Windows:
1. Download VMMap: [https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx]
2. Run Tor Browser
3. Run VMMap and select the tor.exe process
4. Select View > Expand All
5. In the bottom table of the VMMap window, examine the Protection column. Note many `Execute/Read/Write` and `Execute/Copy on Write` pages, all belonging to either tor.exe or DLLs bundled with tor.exe.Arthur EdelsteinArthur Edelsteinhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22315Make use of interceptor to protect memory on Windows (spin-off from #12426)2022-07-12T22:13:25ZcypherpunksMake use of interceptor to protect memory on Windows (spin-off from #12426)> add EnableLowFragmentationHeap() modified from https://dxr.mozilla.org/mozilla-esr24/source/ipc/chromium/src/base/process_util_win.cc#867
It was an old approach from Google that couldn't be applied, because it was single-threaded and ...> add EnableLowFragmentationHeap() modified from https://dxr.mozilla.org/mozilla-esr24/source/ipc/chromium/src/base/process_util_win.cc#867
It was an old approach from Google that couldn't be applied, because it was single-threaded and led to: https://blogs.msdn.microsoft.com/oldnewthing/20110701-00/?p=10273/
So that they added just https://chromium.googlesource.com/chromium/src/+/e4adea20236d1cee76f0c61798b1613e07a7f4c1/chrome/app/chrome_exe_main_win.cc#113 from a well-known approach http://microsoft.public.vsnet.general.narkive.com/vkWRTQaL/low-fragmentation-heap, but with that test https://chromium.googlesource.com/chromium/src/+/95b42e2745a2380a16112a059bd0e842d81f0c0a/base/process_util_unittest.cc#377
So you can add Chromium's solution as fast and easy fix (as in legacy/trac#12426), but for the default heap only.
A more general approach is to use an interceptor for LFH, bottom-up ASLR and other mitigations on every relevant memory allocation:
https://github.com/promised-lu/MemoryProtection/blob/master/MemoryProtection/MemoryProtection.cxxhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22267Windows build of esr52 Tor Browser has no relocs, SSP and DEP/ASLR flags2022-01-11T19:31:56ZboklmWindows build of esr52 Tor Browser has no relocs, SSP and DEP/ASLR flagsThe `firefox.exe` binary in doesn't have DEP and ASLR enabled.
It seems to affect only the binaries from the firefox part, as the `tor.exe` binary has DEP/ASLR enabled.The `firefox.exe` binary in doesn't have DEP and ASLR enabled.
It seems to affect only the binaries from the firefox part, as the `tor.exe` binary has DEP/ASLR enabled.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22238The firefox binary in Tor Browser 7.0a3 for Linux is not PIE2022-01-11T19:31:56ZboklmThe firefox binary in Tor Browser 7.0a3 for Linux is not PIEThe `firefox`, `plugin-container` and `updater` binaries are not PIE.
We can fix that by adding `ac_add_options --enable-pie` to the mozconfig file.The `firefox`, `plugin-container` and `updater` binaries are not PIE.
We can fix that by adding `ac_add_options --enable-pie` to the mozconfig file.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22067NoScript Click-to-Play bypass with embedded videos and audios2022-01-11T19:31:56ZTracNoScript Click-to-Play bypass with embedded videos and audiosNoscript does not block .webm playback on tor hidden services but plays them first and then blocks them after.
Example:
If you go to http://alokalaou53jmgum.onion/b/50927 and click on the 'homer-simpson webm' it will start playing di...Noscript does not block .webm playback on tor hidden services but plays them first and then blocks them after.
Example:
If you go to http://alokalaou53jmgum.onion/b/50927 and click on the 'homer-simpson webm' it will start playing directly after being clicked on even though Tor Browser is set to high security slider and this in 9/10 times.
Whereas if you open it directly it will block it 9/10 times.
http://alokalaou53jmgum.onion/src/M9Xjl/1486923637894.webm
This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on even older versions leaving users potentially in danger if it where to be a malicious .webm by not blocking it
**Trac**:
**Username**: samantharis