Tor Browser - Local Privilege Escalation (LPE) to TOR Browser Sandbox via Argument Injection - N/A
https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/14
Description
The configuration of sudoers allows the low-privileged amensia user to inject an argument into the application /usr/local/lib/run-tor-browser-in-netns
.
sudo -l
(root) NOPASSWD: /usr/local/lib/run-tor-browser-in-netns
If we run /usr/local/lib/run-tor-browser-in-netns --help
we get the following output:
Usage: /usr/local/lib/tor-browser/firefox.real [ options ... ] [URL]
where options include:
X11 options
--display=DISPLAY X display to use
--sync Make X calls synchronous
--g-fatal-warnings Make all warnings fatal
Firefox options
-h or --help Print this message.
-v or --version Print Firefox version.
--full-version Print Firefox version, build and platform build ids.
-P <profile> Start with <profile>.
--profile <path> Start with profile at <path>.
--migration Start with migration wizard.
--ProfileManager Start with ProfileManager.
--no-remote (default) Do not accept or send remote commands; implies
--new-instance.
--allow-remote Accept and send remote commands.
--new-instance Open new instance, not a new window in running instance.
--safe-mode Disables extensions and themes for this session.
--MOZ_LOG=<modules> Treated as MOZ_LOG=<modules> environment variable,
overrides it.
--MOZ_LOG_FILE=<file> Treated as MOZ_LOG_FILE=<file> environment variable,
overrides it. If MOZ_LOG_FILE is not specified as an
argument or as an environment variable, logging will be
written to stdout.
--headless Run without a GUI.
--browser Open a browser window.
--new-window <url> Open <url> in a new window.
--new-tab <url> Open <url> in a new tab.
--private-window <url> Open <url> in a new private window.
--preferences Open Preferences dialog.
--screenshot [<path>] Save screenshot to <path> or in working directory.
--window-size width[,height] Width and optionally height of screenshot.
--search <term> Search <term> with your default search engine.
--setDefaultBrowser Set this app as the default browser.
--first-startup Run post-install actions before opening a new window.
--kiosk Start the browser in kiosk mode.
--disable-pinch Disable touch-screen and touch-pad pinch gestures.
--jsconsole Open the Browser Console.
--jsdebugger [<path>] Open the Browser Toolbox. Defaults to the local build
but can be overridden by a firefox path.
--wait-for-jsdebugger Spin event loop until JS debugger connects.
Enables debugging (some) application startup code paths.
Only has an effect when `--jsdebugger` is also supplied.
--devtools Open DevTools on initial load.
--start-debugger-server [ws:][ <port> | <path> ] Start the devtools server on
a TCP port or Unix domain socket path. Defaults to TCP port
6000. Use WebSocket protocol if ws: prefix is specified.
--marionette Enable remote control server.
--remote-debugging-port [<port>] Start the Firefox Remote Agent,
which is a low-level remote debugging interface used for WebDriver
BiDi and CDP. Defaults to port 9222.
--remote-allow-hosts <hosts> Values of the Host header to allow for incoming requests.
Please read security guidelines at https://firefox-source-docs.mozilla.org/remote/Security.html
--remote-allow-origins <origins> Values of the Origin header to allow for incoming requests.
Please read security guidelines at https://firefox-source-docs.mozilla.org/remote/Security.html
As you can see, the --help
is passed as an argument to the tor. The low-privileged amensia user has full control over the startup parameters of the tor browser.
Impact
- Access to the TOR Browser Sandbox/namespace.
Patch
- Disable arguments by adapting the sudoers file
Edited by boyska