9

The FBI recently used a 0day exploit to hack a TAILS user and expose their real IP.

I am interested in how they could have managed to obtain the user's real public IP after compromising the machine. Since TAILS sends ALL network communications over tor, simply having the computer report to a server controlled by the FBI wouldn't help as the server would still only receive the IP of an exit node (and assuming the computer is connected to a wifi, it would only know its local IP not the public IP). Would they have to patch the OS somehow to allow communications without tor, which might further require some privilege escalation exploit, or is there any simpler way that I'm missing?

nobody
  • 11,251
  • 1
  • 41
  • 60

2 Answers2

5

You are right that Tails only enforces conection over Tor circuit. Even if there's a malware running with application privileges, its traffic has to be routed through Tor. User-level applications cannot enforce their own network configuration in Tails. As facebook refused to disclose the vulnerability, this is what might have happenned.

  1. Media file carries the payload.

a zero-day exploit in Tails: a bug in its video player

  1. On running the media file, payload exploited a vulnerability in media player to execute arbitrary code inside a payload. Atleast a vulnerability in media player is confirmed by facebook.

  2. That arbitrary code exploited a second vulnerability to gain privilege escalation.

  3. Now the payload has privileges of a system, it patched the system to bypass Tor circuit.

  4. Malware was able to connect with FBI controlled server directly.

It's likely a chain of vulnerability with privilege escalation attack. Given the cost of this exploit is in 6 figures and facebook non-compliance with vulnerability disclosure, it's safe to assume that critical zero day exploit was involved.

Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn’t bother to do so.

It is still not clear from this context where the vulnerability resides apart from the one which was in media player as compromising an application in Tails doesn't give you privilege of bypassing Tor circuit. We still have to wait for official response from maintainers of Tail. No CVE has been assigned as of now.

defalt
  • 6,231
  • 2
  • 22
  • 37
0

Essentially facebook had an exploit developed that permitted them to obtain information (or execute code, who knows?) on the local system, thus bypassing all network based protections provided by Tor. They hacked into the target's computer using a purposely developed exploit - by definition a zero-day.

On the local system there are multiple ways to find the external IP address, some more efficient than others. For example they could have issued requests towards a known host on the Internet, deliberately outside the socks proxy that routes into Tor. Something akin to accessing "whatsmyip".

Here is the original story: https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez

Pedro
  • 3,911
  • 11
  • 25
  • Is that possible on Tails? Doesn't Tails force all inbound and outbound communications over tor? – nobody Jun 16 '20 at 10:17
  • possible it certainly is. also remember not all comms are HTTP. – Pedro Jun 16 '20 at 10:18
  • @nobody sure, but if you root the thing, you can do what you want. – multithr3at3d Jun 16 '20 at 12:07
  • @multithr3at3d Yeah but the exploit mentioned in the article was for a video player. I doubt that would result in root. Does that mean they probably had a second privilege escalation vulnerability? – nobody Jun 16 '20 at 12:26
  • That has not been disclosed. Could be root remote code execution. Could be privesc after RCE. Could be (most likely) that whatever they needed to find could be found without root. – Pedro Jun 16 '20 at 12:54