![Page 1: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/1.jpg)
![Page 2: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/2.jpg)
Overall Classification
![Page 3: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/3.jpg)
(U) Overview
![Page 4: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/4.jpg)
• (U) "The Onion Router"• (U) Enables anonymous internet activity
General privacyNon-attributionCircumvention of nation state internet policies
• (U) Hundreds of thousands of usersDissidents (Iran, China, etc)(5115 IIIRE L)(511511IREL) Other targets too!
(U)What isTOR?
![Page 5: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/5.jpg)
The WebwI TOR client
Installed
(U) What isTOR?
![Page 6: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/6.jpg)
ClienlBrowsingThe WebTOR clientInstalled
(U) What isTOR?
![Page 7: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/7.jpg)
• (U) TOR Browser BundlePortable Firefox ao ESR(tbb-firefox.exe)VidaliaPolipoTorButtonTOR
" Idiot-proof"
(U)What isTOR?
![Page 8: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/8.jpg)
(S//SI//REL) The TOR Problem
![Page 9: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/9.jpg)
(TSIISIIIREL) FingerprintingTOR
![Page 10: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/10.jpg)
(TSIISIIIREL) FingerprintingTOR
![Page 11: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/11.jpg)
• (TS//SI//REL) TorButton cares about TORusers being indistinguishable from TOR users
• (TS//SI//REL) We only care about TOR usersversus non-TOR users
• (TS//SI//REL) Thanks to TorButton, it's easy!
(TSIISIIIREL) FingerprintingTOR
![Page 12: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/12.jpg)
(S//SI//REL) The TOR Problem
![Page 13: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/13.jpg)
• (TS//SI//REL) tbb-firefox is barebonesFlash is a no-noNoScript addon pre-installed ...... but not enabled by default!TOR explicitly advises against using any addons orextensions other than TorButton and NoScript
• (TS//SI//REL) Need a native Firefox exploit
(TS//SI//REL) Exploiting TOR
![Page 14: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/14.jpg)
• (TS//SI//REL) ERRONEOUSINGENUITYCommonly known as ERINFirst native Firefox exploit in a long timeOnly works against ~3.0-~6.o.2
• (TS//SI//REL) EGOTISTICALGOATCommonly known as EGGOConfigured for ~~.o-~6.0.2......but the vulnerability also exists in ro.o:
(TS//SI//REL) Exploiting TOR
![Page 15: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/15.jpg)
• (TS//SI//REL) Type confusion vulnerability inE4X
• (TS//SI//REL) Enables arbitrary read/writeaccess to the process memory
• (TS//SI//REL) Remote code execution via theCTypes module
· (U) EGOTISTICALGOAT
![Page 16: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/16.jpg)
• (Ts//si//REL) Can't distinguish OS until on boxThat's okay
• (Ts//si//REL) Can't distinguish Firefox versionuntil on box
That's aIso okay
• (Ts//si//REL) Can't distinguish 64-bit from 32-bit unti I on box
I think you see where this is going
(TS//SI//REL) Exploiting TOR
![Page 17: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/17.jpg)
(S//SI//REL) The TOR Problem
![Page 18: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/18.jpg)
• (TS//SI//REL) Tests on Firefox 10 ESRworked• (TS//SI//REL) Tests on tbb-firefox did not
Gained executionDidn't receive FINI(DIFFERENT
• (TS//SI//REL) Defeated by Prefilter Hash!Requests EGGI: Hash(tor_exit_ip II session_id)Requests FIDI: Hash(target_ip II session_id)
(TSIISIIIREL) Callbacks from TOR
![Page 19: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/19.jpg)
• (TS//SI//REL) Easy fixTurn off prefilter hashingFUNNELOUT
• (TS//SI//REL) OPSEC ConcernsPre-play attacks
PSPsAdversarial Actors
Targets worth it?
(TSIISIIIREL) Callbacks from TOR
![Page 20: Peeling back the layers of Tor with EgotisticalGiraffe](https://reader034.vdocuments.mx/reader034/viewer/2022051816/546d1a48b4af9f7f2c8b52f7/html5/thumbnails/20.jpg)
(S//SI//REL) The TOR Problem