[tor-bugs] #22966 [Applications/Tor Browser]: Nasty MitM possibility with the Firefox blocklist service

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 18:29:07 UTC 2017 

#22966: Nasty MitM possibility with the Firefox blocklist service
------------------------------------------+----------------------
     Reporter:  basvd                     |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  High                      |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Major                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Once a day the Firefox/Tor browser will do a call to the Firefox blocklist
 service. The URL of this endpoint is (extensions.blocklist.url):

 {{{
 https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
 }}}
 Example:

 {{{
 https://blocklist.addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-
 9b0e-13a3a9e97384%7D/52.2.0/Firefox/20170202030101/WINNT_x86-gcc3/en-
 US/release/Windows_NT%2010.0/default/default/34/34/1/
 }}}
 '''1) The browser suppresses bad certificate errors on this URL
 '''The Firefox blocklist service suppresses bad certificates errors while
 downloading the blocklist.xml. In this way it is quite easy to setup a
 MitM attack and remove revoked certificates from the blocklist.xml

 Proof of concept;

  * Run a webserver listening to
 https://blocklists.settings.services.mozilla.com
  * Create a fake blocklist XML (/v1/blocklist/etc...)
  * Add 12.34.56.78 blocklists.settings.services.mozilla.com to your host
 file
  * Reset app.update.lastUpdateTime.blocklist-background-update-timer and
 change extensions.blocklist.interval
  * Wait until Tor calls these blocklist service.
  * Check the blocklist.xml inside the Tor installation folder

 '''2) Mozilla is able to see Tor user specific information:
 '''There is a lot of OS/platform/browser specific information in the URL.
 So Mozilla has a lot of statistics about the Tor browser usage. Not
 necessary IMHO.

 APP_ID
 APP_VERSION
 PRODUCT
 VERSION
 BUILD_ID
 BUILD_TARGET
 OS_VERSION
 LOCALE
 CHANNEL
 PLATFORM_VERSION
 DISTRIBUTION
 DISTRIBUTION_VERSION
 PING_COUNT
 TOTAL_PING_COUNT
 DAYS_SINCE_LAST_PING

 The TOTAL_PING_COUNT (stored in extensions.blocklist.pingCountTotal) is
 also interesting. Because this number increments every time you start the
 Tor browser. (note: once a day). As you can see the number in the URL
 above is 34, what means that the Tor browser was started at least 34
 times/days.

 '''Technical info:'''

 source code: [https://dxr.mozilla.org/mozilla-
 central/source/toolkit/mozapps/extensions/nsBlocklistService.js#627
 XMLHttpRequest with BadCertHandler]

 source code: [https://dxr.mozilla.org/mozilla-
 central/source/toolkit/modules/CertUtils.jsm#173 BadCertHandler]:

 {{{
 /**
  * This class implements nsIBadCertListener.  Its job is to prevent "bad
 cert"
  * security dialogs from being shown to the user.  It is better to simply
 fail
  * if the certificate is bad. See bug 304286.          <--   :-|
  */
 }}}
 Another URL with sensitive data is extensions.update.background.url:

 {{{
 https://versioncheck-
 bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%&currentAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%
 }}}
 '''Related Bugzilla tickets:'''

  * [https://bugzilla.mozilla.org/show_bug.cgi?id=366191 Something tries to
 MITM Firefox's automatic connection to addons.mozilla.org, resulting in an
 annoying expired-certificate dialog]
  * [https://bugzilla.mozilla.org/show_bug.cgi?id=304286 Certificate
 failures during automatic check for updates should not give user choice to
 connect anyway]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22966>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list