TPS - Non exploitable symlink attack in persistent storage deactivation hook
https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/4
Technical Description
An attacker can replace the Persistent directory with symlink on a deactivaten hook by exploiting a race condition. However the issue is not exploitable since rmdir
is not following symlinks by default.
/local/lib/persistent-storage/on-deactivated-hooks/PersistentDirectory/delete-persistent-directory
#!/bin/sh
set -e
set -u
PERSISTENT_DIR='/home/amnesia/Persistent'
rmdir "${PERSISTENT_DIR}"