[tor-bugs] #8558 [Quality Assurance and Testing]: Re-verify app-launching defenses on Windows

Thu Mar 21 22:41:39 UTC 2013

#8558: Re-verify app-launching defenses on Windows
-------------------------------------------+--------------------------------
 Reporter:  mikeperry                      |          Owner:  cypherpunks
     Type:  task                           |         Status:  new        
 Priority:  major                          |      Milestone:             
Component:  Quality Assurance and Testing  |        Version:             
 Keywords:  tbb-rebase-regression          |         Parent:             
   Points:                                 |   Actualpoints:             
-------------------------------------------+--------------------------------
 Rsnake claims that some stuff he did 3 years ago still works on TBB. We
 certainly fixed the two vectors he mentioned (itms and smb) with
 Torbutton, but it is possible that one or more random things have been
 broken/undone by FF17. We should retest as many of them as we can,
 especially on Windows. Especially since Rsnake seems insistent on being as
 unhelpful as possible :/. Gotta love timewasters....

 Most decloaking attacks are based on plugins, which are disabled by a
 Firefox patch and also by Firefox settings, but the following two
 decloak.net attacks should be retested:

 1. "When the iTunes is installed, it registers the itms:// protocol
 handler. This protocol handler will open iTunes and do a direct connection
 to the specified URL. There are some restrictions on the URL you can pass,
 but we found a nice way around them :-)"

 2. "When Microsoft Office is installed and configured to automatically
 open documents, a file can be returned which automatically downloads an
 image from the internet. This can bypass proxy settings and expose the
 real DNS servers of the user."

 Unfortunately, decloak.net is now down, so the exact itms url it used is
 unavailable (unless the source is still around somewhere).

 Also, this test should be verified on Windows:
 http://pseudo-flaw.net/tor/torbutton/ipleak-dotnet-assistant.html

 I think the .NET assistant addon might need to be explicitly installed
 these days. It used to auto-install with some piece of .NET but then
 Mozilla blacklisted it. They may have removed the blacklist, though...

 Also, we should try some SMB urls on windows. Native Firefox SMB handling
 appears to be unimplemented still, but it may be possible to shove
 something in the registry that enables an external handler:
 http://kb.mozillazine.org/Register_protocol#Windows
 http://msdn.microsoft.com/en-us/library/aa767914.aspx

 Such external handlers *should* still be blocked by Torbutton, though.
 They certainly are on MacOS and Linux...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8558>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online