Core - Local privilege escalation (LPE) via symlink in tailslib lead to arbitrary file read
This is:
- https://git.radicallyopensecurity.com/ros/pen-tails/-/issues/19
- TPS-019 in the report
This was introduced while fixing Core - Local Privilege Escalation (LPE) via CRL... (#19464 - closed)
The read_allowed_env_from_file
function tailslib
is vulnerable to a symlink attack. As a result, the low-privileged user amnesia can read arbitrary files and leak secrets, for example, the TOR authentication cookie.
Technical Description
The folder /run/user/1000
is writable as the amnesia user since this user has the uid=1000. As a result, the low-privileged amnesia user can symlink /run/user/1000/user-env
to /etc/shadow
. The error message print(f"Invalid environment variable: '{line}'", file=sys.stderr)
displays the content of the /etc/shadow
.
/usr/lib/python3/dist-packages/tailslib/userenv.py
#!/usr/bin/python3
USER_ENV_FILE_TEMPLATE = "/run/user/{uid}/user-env"
def user_env_file(uid):
return USER_ENV_FILE_TEMPLATE.format(uid=uid)
def read_allowed_env_from_file(envfile: str) -> dict:
env = dict()
for line in Path(envfile).read_text().split('\0'):
if not line:
continue
try:
key, value = line.split("=", 1)
except Exception as e:
print(f"Invalid environment variable: '{line}'", file=sys.stderr)
raise e
env[key] = value
@lru_cache(maxsize=1)
def read_user_env(user=None) -> dict:
if user is None:
uid = os.geteuid()
else:
uid = pwd.getpwnam(user).pw_uid
return read_allowed_env_from_file(user_env_file(uid))
def user_env_vars(user=None) -> list:
return [f"{key}={value}" for key, value in read_user_env(user).items()]
mnesia@amnesia:~/Desktop$ sudo /usr/local/lib/run-tor-browser-in-netns
Invalid environment variable: 'root:*:19493:0:99999:7:::
amnesia:$6$f5BAiDvT7IkjH3eX$X9wWWJPJ8X.P1La9s6yxsfzcgWO5A7IpFtVrgAAKnzufWDy3OgEfBmAJtWjScr7w8bLF.6UmSUCbnkmlqXV38/:19493:0:99999:7:::
Impact
The low-privileged user amnesia can read arbitrary files as root leading to a Local Privilege Escalation. This vulnerability allows the leaking of secrets, for example, the TOR authentication cookie.
Recommendation
Don't follow symlinks.
Type
CWE-61: UNIX Symbolic Link (Symlink) Following