Unsafe Browser - Sandbox escape leading to Code Execution on host
From https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/18 (aka TLS-018 in the audit) :
Due to an incorrect configuration of the sandbox, it is possible to escape from it. As a result, it would be possible to draw a connection between the activities inside the TOR network (amnesia user on the host system) and the actual IP of the user.
Technical Description
The Unsafe Browser runs in a Bubblewrap sandbox as the amnesia user inside the clearnet
namespace.
ip netns exec clearnet /sbin/runuser -u amnesia -- bwrap --bind /var/lib/unsafe-browser/chroot / --proc /proc --dev /dev --bind /home /home --bind /var/lib/unsafe-browser/chroot//home/amnesia/.unsafe-browser/profile.default /home/amnesia/.unsafe-browser/profile.default --bind /etc/resolv-over-clearnet.conf /etc/resolv.conf --bind /run/user/1000/pipewire-0 /run/user/1000/pipewire-0 --bind /run/user/1000/pulse /run/user/1000/pulse --bind /run/user/1000/wayland-0 /run/user/1000/wayland-0 --bind /sys /sys --bind /run/user/1000/.dbus-proxy/a11y-bus-proxy.sock /run/user/1000/tails-sandbox/a11y-bus-proxy.sock --bind /run/user/1000/.dbus-proxy/ibus-proxy.sock /run/user/1000/tails-sandbox/ibus-proxy.sock -- /usr/bin/env -- DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 LANG=en_US.UTF-8 XDG_CURRENT_DESKTOP=GNOME DISPLAY=:0 XAUTHORITY=/run/user/1000/.mutter-Xwaylandauth.QMWI21 WAYLAND_DISPLAY=/run/user/1000/wayland-0 AT_SPI_BUS_ADDRESS=unix:path=/run/user/1000/tails-sandbox/a11y-bus-proxy.sock IBUS_ADDRESS=unix:path=/run/user/1000/tails-sandbox/ibus-proxy.sock /bin/sh -c . /usr/local/lib/tails-shell-library/tor-browser.sh && export TOR_TRANSPROXY=1 && export MOZ_ENABLE_WAYLAND=1 && exec_firefox_helper firefox.unsafe-browser --class 'Unsafe Browser' --name 'Unsafe Browser' --profile '/home/amnesia/.unsafe-browser/profile.default'
The low-privileged amnesia user on the host runs the sandbox by invoking this command /sbin/runuser -u amnesia -- bwrap
. The user inside the sandbox has the following id:
uid=1000(amnesia) gid=1000(amnesia) groups=1000(amnesia),65534(nogroup)
As a result, the jailed amnesia user (inside the sandbox) can influence the host. For example, the jailed amnesia user could start/stop processes of the host that running as the amnesia user. On top of that, the home folders are mounted inside the sandbox using the argument --bind /home /home
. This leads to a trivial sandbox escape since the jailed amnesia user could overwrite, for example, the .bashrc
of the host system.
Impact
An attacker that managed to get code execution inside the sandbox of the Unsafe Browser could get code execution on the host as well. As a result, it would be possible to draw a connection between the activities inside the TOR network (amnesia user on the host system) and the actual IP of the user.
Recommendation
Replace the --bind /home /home
only with paths that are really needed and run the sandbox as another low-privileged user.