Tails Amnesia Public IP Leak

i become curl | bash destroyer of noobs

UNIX has more holes than Swiss cheese.

Subject: Re: UNIX (In)Security> From: AB > > I'm trying to convince my favorite TLA official that> putting data on a UNIX machine on the TLA network is about> as secure as posting it to alt.flame. Does anyone have a> document on UNIX (in)security I could pass on?alt.flame would be inappropriate if the material in questionisn't a flame or a response to one. I suggest tla.bboard ifthe data is about things of general interest (like how muchcertain people make).Or, you could just put it up for anonymous ftp with the Xsources (eww!) on export.eve.rcl.ear. Then post a "ThEsEkrIt Tla dATa yoU hAve BeEn waItInG foR is ONeXpoRt.eve.rcl.ear" message to misc.wanted.Seriously, look at the Kerberos papers. Look at the OrangeBook (trusted systems evaluation manual from the NCSC).Realize that Unix security is like swiss cheese - not aJarlsberg or other cheese with a few big holes in it, but anAlpine Lace cheese with thousands of tiny holes in it whichyou could never plug all of. You can wrap it in saran wrap,but you've still done nothing for the underlying structure,save for reducing the rate at which mold grows on it.

the point is that tails claims the amnesia user cant leak your real IP without escalating to another user (priv escalation exploit). The OP shows it can.

sudo rm /etc/sudoers.d/zzz_unsafe-browser

issue fixed

This.
Allowing access to the regular internet is just an accident waiting to happen.

There has been a ticket for this for almost a year but it's been ignored.
redmine.tails.boum.org/code/issues/15635

The X11 protocol has long been known to not provide isolation between windows. Here I will show that it can be abused to bypass the firewall without any user interaction or visible side-effects by abusing the Unsafe Browser. I also provide mitigations while waiting for the switch to Wayland.

The existence of the clearnet user and the sudoers whitelist1 for the Unsafe Browser makes it possible to reliably bypass the firewall by abusing the X11 protocol. Previously, I've seen doubts that this can be done surreptitiously and claims that it would necessarily require that the users see the browser pop up and the mouse be moved without their control. I have written a simple PoC (proof of concept) exploit which bypasses the firewall to show that is untrue:

The Unsafe Browser, or more specifically the clearnet user, should not be enabled and functional by default. Whenever it is not needed, the clearnet user should be locked, and the Unsafe Browser should either throw an error on access or not even be displayed. I can think of three mitigations:

Disable the browser by default, requiring it to be explicitly enabled in the splash screen.
Disable the browser as soon as Tor successfully connects, which would indicate no captive portal.
Attempt captive portal detection2 to detect request rewrites and enable the Unsafe Browser only then.

I am marking this as a bug because this PoC clearly shows that the Unsafe Browser violates the security principles in the specified design documents3. Until the switch to Wayland is completed (and perhaps even then), the existence of the clearnet user should be considered incompatible with anonymous Tor usage. I am currently working on another exploit which bypasses the browser AppArmor profile without user interaction in order for this to be possible from within the context of a compromised browser as well. If I have the time, I will finish it up and report it as well.

[1]: git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
[2]: chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection
[3]: tails.boum.org/contribute/design/Unsafe_Browser/

I wouldn't trust heads, an early version had the controlport open for To without a filter/whitelist and a simple GETINFO address to the Tor controlport would reveal your true IP. It's since been fixed but that's an amatuer mistake.

Who cares about their IP? If you can get RCE on a tails user, go for the electrum/bitcoin wallet. 90% of people who use tails are drug dealers/buyers.

Before reddit.com/r/darknetmarketsnoobs was banned, it has thousands of viewers a day and all the posts were mostly normies having issues running Tails.

Also, a simple priv escalation bug just was fixed in the latest version of heads 0.4. Updates weren't even GPG signed. Use heads with caution.

How does tails get millions of dollar in donations? I literally made something that works exactly like tails with debian live-build in 3 days with a few hours of work a day. It didn't have the auto update infrastructure but still. It was the same way that tails build images, through deban live-build scripts with a packagelist and preconfigured configs.