Simple clearnet connection proof of concept for Tails

Unlike in Whonix, it’s very easy to start a clearnet connection in Tails - one can use the "Unsafe browser’ (included for the purpose of connecting to captive networks).

https://tails.boum.org/contribute/design/Unsafe_Browser/

This browser comes with many warnings though to prevent the user from gaining a false sense of safely.

The browser runs with the clearnet user. Code for that is at the above link.

I am looking for a simple proof of concept though, demonstrating that a simple bash script can create a direct connection to a clearnet site without any warnings (on Tails).

Needless to say, the same script is expected to fail in Whonix.

Is this possible?

Yes. But this is something you will have to figure out.

With or without root access?

Without root access / root privilege escalation exploit I wouldn’t know.

Assuming Tails booted with manually enabling root access boot options (if it still exists, I guess so).

Untested. I lack motivation to actually test this. But perhaps below works. That’s my conclusion from reading their code related to that since I was interested in it for other reasons earlier. (These reasons were: Tor Browser over clearnet, separate Tor/i2p browser profiles)

Prerequisite: find out the IP address of check.torproject.org. This has to be done on some system with functional system DNS such as a clearnet host or Whonix-Workstation or some online service. (Since my instructions below do not include how to make DNS working.)

nslookup check.torproject.org

Address: 138.201.14.212

The IP address remained unchanged for at least over a year now or so, I think.

I don’t know if curl is installed by default in Tails. May or may not be required.

sudo apt-get update
sudo apt-get install curl

From now, assuming curl is installed and root access is available.

The following command can fetch https://check.torproject.org even while DNS is unconfigured.

sudo -u clearnet curl --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212

If that worked… To see your external IP more easily.

sudo -u clearnet curl --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP

To make clearnet DNS access (for user clearnet) functional the following may or may not work.

sudo cp /etc/resolv-over-clearnet.conf /etc/resolv.conf

Prevent sudo from complaining about failing to resolve the ‘amnesia’ host.

echo "127.0.0.1 localhost amnesia" | sudo tee -a /etc/hosts

In case DNS is functional, even the following should work.

sudo -u clearnet curl --tlsv1.2 --proto =https https://check.torproject.org

Perhaps also nslookup would work.

sudo -u clearnet nslookup check.torproject.org

Thanks.

curl is installed by default, and for the sake of the proof of concept, connecting to an IP will do, so no need to handle DNS.

But, root access is a deal breaker.

My thinking goes - if the “unsafe browser” runs without root, should it not be possible to do a trivial connection (as in your curl examples) without it?

I guess I need to dig inside the bash scripts that run that browser to figure out the answer.

Tails is using sudo/root to setup the chroot and uses sudo -u clearnet to start the browser. So while the browser runs indeed as non-root, the procedure requires root rights. This is possible through the /etc/sudoers.d/zzz unsafe-browser exception. This however doesn’t grant a path to executing arbitrary code/programs as user root or user clearnet. If you find a way to do that, I guess Tails might consider this a security buy.

To script it, it should be possible to use some browser automation software like selenium. But that’s a lot more involved than a simple bash script.

I see. The next thing to try will be to replicate the script that runs the browser, but without warnings and possibly with a different profile. They probably closed that potential hole too but worth checking.

BTW, if selenium or anything similar reuqires root priviledges to install this is also a no-no.

May be possible to install it in the home folder including all its dependencies. Not a fun exercise.

unsafe-browser.desktop.in uses sudo unsafe-browser. And only for that there is a sudoers exception.

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/local/lib/tails-shell-library/tor-browser.sh uses:

TBB_INSTALL=/usr/local/lib/tor-browser
TBB_PROFILE=/etc/tor-browser/profile
TBB_EXT=/usr/local/share/tor-browser-extensions

All locations non-root accessible.

I am pretty sure Tails developers have root vs non-root in mind during development.

I found this:

The X11 protocol has long been known to not provide isolation between windows. Here I will show that it can be abused to bypass the firewall without any user interaction or visible side-effects by abusing the Unsafe Browser.

Instead of weakening Whonix to allow clearnet access, why not use a vanilla Linux distro installed in a VM for that purpose? Since Whonix is mainly for hypervisors you have no problem multiplexing your setup to run many instances at the same time.

I completely agree with you. The purpose of this exercise is to demonstrate why an unsafe browser, or any kind of clearnet access in a system that tries to be anonymous isn’t a good idea.

I would very much NOT want to see a similar feature in Whonix.

The above exploit, by the way, was reported to Tails 9 months ago, and still works.