Skip to content

LPE to access to the tps system D-Bus service via sudo

https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/3

User impact

An adversary who can already execute arbitrary code as the amnesia user can leverage this vulnerability to perform all sorts of Persistent Storage operations, such as: create, delete, activate a Persistent Storage volume; activate, deactivate, delete a specific default feature. As far as we can tell, the only security-relevant impact of this is the ability to delete persistent data on which the amnesia user lacks write access, which poses a risk of data integrity and denial of service. All other security-sensitive operations that can be performed via this code path, i.e. deleting amnesia-owned data, can already be done by the adversary at that point, so they don't constitute privilege escalation.

Note, in passing, that impact may be vastly greater if #20184 had been implemented already.

Practical exploitation path

Same as #20701 (closed) due to the need to run sudo.

Proof of concept

cp -af /var/run/user/1000/user-env /tmp/foo && sudo -u tails-persistent-storage ENVFILE=/tmp/foo /usr/local/bin/tails-persistent-storage --gtk-module 1

… demonstrates that --gtk-module is passed through and honored by the GTK app, which allows loading an arbitrary .so file and thus LPE to an environment allowed to connect to the tps D-Bus service on the system bus.

It seems we might have been safe before e23dd723.

Edited by boyska
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information