[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Simple clearnet connection proof of concept for Tails


#1

Unlike in Whonix, it’s very easy to start a clearnet connection in Tails - one can use the "Unsafe browser’ (included for the purpose of connecting to captive networks).

https://tails.boum.org/contribute/design/Unsafe_Browser/

This browser comes with many warnings though to prevent the user from gaining a false sense of safely.

The browser runs with the clearnet user. Code for that is at the above link.

I am looking for a simple proof of concept though, demonstrating that a simple bash script can create a direct connection to a clearnet site without any warnings (on Tails).

Needless to say, the same script is expected to fail in Whonix.

Is this possible?


Traffic monitoring and better control
#2

Yes. But this is something you will have to figure out.


#3

With or without root access?

Without root access / root privilege escalation exploit I wouldn’t know.

Assuming Tails booted with manually enabling root access boot options (if it still exists, I guess so).

Untested. I lack motivation to actually test this. But perhaps below works. That’s my conclusion from reading their code related to that since I was interested in it for other reasons earlier. (These reasons were: Tor Browser over clearnet, separate Tor/i2p browser profiles)


Prerequisite: find out the IP address of check.torproject.org. This has to be done on some system with functional system DNS such as a clearnet host or Whonix-Workstation or some online service. (Since my instructions below do not include how to make DNS working.)

nslookup check.torproject.org

Address: 138.201.14.212

The IP address remained unchanged for at least over a year now or so, I think.


I don’t know if curl is installed by default in Tails. May or may not be required.

sudo apt-get update
sudo apt-get install curl

From now, assuming curl is installed and root access is available.

The following command can fetch https://check.torproject.org even while DNS is unconfigured.

sudo -u clearnet curl --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212

If that worked… To see your external IP more easily.

sudo -u clearnet curl --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP

To make clearnet DNS access (for user clearnet) functional the following may or may not work.

sudo cp /etc/resolv-over-clearnet.conf /etc/resolv.conf

Prevent sudo from complaining about failing to resolve the ‘amnesia’ host.

echo "127.0.0.1 localhost amnesia" | sudo tee -a /etc/hosts

In case DNS is functional, even the following should work.

sudo -u clearnet curl --tlsv1.2 --proto =https https://check.torproject.org

Perhaps also nslookup would work.

sudo -u clearnet nslookup check.torproject.org

#4

Thanks.

curl is installed by default, and for the sake of the proof of concept, connecting to an IP will do, so no need to handle DNS.

But, root access is a deal breaker.

My thinking goes - if the “unsafe browser” runs without root, should it not be possible to do a trivial connection (as in your curl examples) without it?

I guess I need to dig inside the bash scripts that run that browser to figure out the answer.


#5

Tails is using sudo/root to setup the chroot and uses sudo -u clearnet to start the browser. So while the browser runs indeed as non-root, the procedure requires root rights. This is possible through the /etc/sudoers.d/zzz unsafe-browser exception. This however doesn’t grant a path to executing arbitrary code/programs as user root or user clearnet. If you find a way to do that, I guess Tails might consider this a security buy.


#6

To script it, it should be possible to use some browser automation software like selenium. But that’s a lot more involved than a simple bash script.


#7

I see. The next thing to try will be to replicate the script that runs the browser, but without warnings and possibly with a different profile. They probably closed that potential hole too but worth checking.

BTW, if selenium or anything similar reuqires root priviledges to install this is also a no-no.


#8

May be possible to install it in the home folder including all its dependencies. Not a fun exercise.


#9

unsafe-browser.desktop.in uses sudo unsafe-browser. And only for that there is a sudoers exception.

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/local/lib/tails-shell-library/tor-browser.sh uses:

TBB_INSTALL=/usr/local/lib/tor-browser
TBB_PROFILE=/etc/tor-browser/profile
TBB_EXT=/usr/local/share/tor-browser-extensions

All locations non-root accessible.

I am pretty sure Tails developers have root vs non-root in mind during development.


#10

I found this:

The X11 protocol has long been known to not provide isolation between windows. Here I will show that it can be abused to bypass the firewall without any user interaction or visible side-effects by abusing the Unsafe Browser.

https://redmine.tails.boum.org/code/issues/15635


#11

Instead of weakening Whonix to allow clearnet access, why not use a vanilla Linux distro installed in a VM for that purpose? Since Whonix is mainly for hypervisors you have no problem multiplexing your setup to run many instances at the same time.


#12

I completely agree with you. The purpose of this exercise is to demonstrate why an unsafe browser, or any kind of clearnet access in a system that tries to be anonymous isn’t a good idea.

I would very much NOT want to see a similar feature in Whonix.

The above exploit, by the way, was reported to Tails 9 months ago, and still works.