Unsafe Browser - Local Privilege Escalation (LPE) via symlink - Arbitrary File Content Delete
This is https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/10 :
The Unsafe Browser is vulnerable to a symlink attack due to too incorrect assignment of privileges leading to a Local Privilege Escalation. As a result, the low-privileged user amnesia can empty any file on the system.
Technical Description
The low-privileged user amnesia can run /usr/local/sbin/unsafe-browser
as root using sudo without a password.
(root) NOPASSWD: /usr/local/sbin/unsafe-browser \"\"
The unsafe-browser
script runs the 9>/var/lock/unsafe-browser
command. The /var/lock
folder is a symlink to the folder /run/lock
, and the /run/lock
folder is writable by anyone. However, the unsafe-browser
script is vulnerable to a symlink attack since the low-privileged user amnesia can symlink the file /var/lock/unsafe-browser
. As a result, the user amnesia can empty any file on the system as root.
/usr/local/sbin/unsafe-browser
CMD="$(basename "${0}")"
LOCK="/var/lock/${CMD}"
# Prevent multiple instances of the script.
exec 9>"${LOCK}"
if ! flock -x -n 9; then
error "$(gettext "Another Unsafe Browser is currently running, or being cleaned up. Please retry in a while.")"
fi
Impact
The low-privileged user amnesia can empty any file on the system as root even if no administrator is configured on boot leading to a Local Privilege Escalation. Due to the limited time available for the code audit, we did not follow this path beyond this point.
Recommendation
The recommendation is to change the LOCK
path to a path only accessible by root or don't follow symlinks.