Title: Peeling Back the Layers of Tor with EGOTISTICALGIRAFFE

Release Date: 2013-10-04

Document Date: 2007-01-08

Description: This Tailored Access Operations presentation shows how the NSA uses a technique codenamed EgotisticalGiraffe to attack Tor users through vulnerable computer software: see the Guardian article NSA and GCHQ target Tor network that protects anonymity of web users, 4 October 2013.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

(TS//SI//REL) Peeling Back the Layers of TOR with

EGOTISTICALGIRAFFE

■¿cCE&v.^

Overall Classification

This briefing is classified
TOP SECRET//COMINT//REL USA, FVEY

■ (U) What is TOR?

■ (S//SI//REL)TheTOR Problem

■ (TS//SI//REL) EGOTISTICALGOAT

■ (TS//SI//REL) EGOTISTICALGIRAFFE

■ (U) Future Development

■ (U) “The Onion Router”

■ (U) Enables anonymous internet activity

D General privacy
D Non-attribution

a Circumvention of nation state internet policies

■ (U) Hundreds of thousands of users

Dissidents (Iran, China, etc)

(S//SI//REL)

(S//SI//REL) Other targets too!



(U) What isTOR?

L TO USA, AUS, CAN, GBR, NZL

(U)WhatisTOR?

■ (U)TOR Browser Bundle

n Portable Firefox 10 ESR (tbb-firefox.exe)
° Vidalia
D Polipo
° TorButton
□ TOR

“Idiot-proof”

(S//SI//REL) The TOR Problem

■ (TS//SI//REL) Fingerprinting TOR

■ (TS//SI//REL) Exploiting TOR

■ (TS//SI//REL) Callbacks from TOR

Windows XP
Firefox 10.0.5 ESR?

■ 32-bit Windows 7

■ Firefox/io.o

64-bit Mac OS X
Firefox 10.0.4 ESR?

■ 32-bit Windows 7

■ Firefox/io.o

Ubuntu 11.10

Firefox 10.0.7 ESR?

■ 32-bit Windows 7

■ Firefox/io.o

64-bit Windows 7

Firefox 10.0.10 ESR?

■ 32-bit Windows 7

■ Firefox/io.o

32-bit Windows 7
Firefox/io.o

(TS//SI//REL) Fingerprinting TOR

(TS//SI//REL) BuildID gives a timestamp for
when the Firefox release was built

Year Month Day Hour Min Sec

(TS//SI//REL) tbb-firefox’s BuildID:

■ (TS//SI//REL)TorButton cares aboutTOR
users being indistinguishable from TOR users

■ (TS//SI//REL) We only care aboutTOR users
versus non-TOR users

■ (TS//SI//REL)Thanks toTorButton, it’s easy!

(S//SI//REL) The TOR Problem

f I iff i—x I— I \

■ ■ *

VI di I d\/i r\LLj riMyei pm iui ly i ui\

(TS//SI//REL) Exploiting TOR

■ (TS//SI//REL) Callbacks from TOR

■ (T5//SI//REL) tbb-firefox is barebones

n Flash is a no-no

D NoScript addon pre-installed...

...but not enabled by default!

D TOR explicitly advises against using any addons or
extensions otherthanTorButton and NoScript

■ (TS//SI//REL) Need a native Firefox exploit

■ (T5//SI//REL) ERRONEOUSINGENUITY

n Commonly known as ERIN
n First native Firefox exploit in a long time
° Only works against 13.0-16.0.2

■ (T5//SI//REL) EGOTISTICALGOAT

D Commonly known as EGGO
Configured for 11.0-16.0.2...

...but the vulnerability also exists in 10.0!



■ (TS//SI//REL)Type confusion vulnerability in
E4X

■ (TS//SI//REL) Enables arbitrary read/write
access to the process memory

■ (TS//SI//REL) Remote code execution via the
CTypes module

■ (TS//SI//REL) Can't distinguish OS until on box

° That's okay

■ (TS//SI//REL) Can't distinguish Firefox version
until on box

° That's also okay

■ (TS//SI//REL) Can't distinguish 64-bit from 32-
bit until on box

I think you see where this is going

V i di I d\11 r\LLj riMyei pm iui ly i ui\

■ (T3//Si//REL) Expiuilnly TOR

■ (TS//SI//REL) Callbacks from TOR

■ (TS//SI//REL) Tests on Firefox 10 ESR worked

■ (TS//SI//REL)Testsontbb-firefoxdid not

a Gained execution
□ Didn't receive FINKDIFFERENT

■ (TS//SI//REL) Defeated by Prefilter Hash!

° Requests EGGI: Hash(tor_exit_ip || sessionjd)
Requests FIDI: Hash(target_ip || sessionjd)

(TS//SI//REL) Callbacks from TOR

■ (T5//SI//REL) Easy fix

n Turn off prefilter hashing
□ FUNNELOUT

■ (T5//SI//REL)OPSEC Concerns

° Pre-play attacks
- PSPs

Adversarial Actors
Targets worth it?

\jqj_iijoji ç^npnnp^ (“!3^//!S//SJ.) ■

\ir\ i fiiimniHY^i (~\-nwllicllc i \ u

Vd V ^ I -Ui \ I ^ W lit ta/ I I ta/ -d- /

\j/^ i Ri ini u irl laRi n j hi\j//ic//c i ï -

w N/ JU r1 ■ . -I \ fJUTTTOTT^


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh