Re: [Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
On Sun, Apr 15, 2012 at 02:57:33PM GMT, Pedro Martelletto [pe...@ambientworks.net] said the following: > > I know OpenBSD has an encrypt swapfs setting on its rc.conf file > > though not activated by default. > > i believe it is activated by default: > > http://marc.info/?l=openbsd-cvs&m=85331505174 > Thanks for catching that. Sorry, what I had in e-mail was wrong, but the chart on the report is correct. I think I meant FreeBSD. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
On Thu, Apr 12, 2012 at 10:53:47PM GMT, Grandma Eubanks [tborla...@gmail.com] said the following: > Fedora Core 15: > > /dev/mapper/vg_youwish-lv_swap swapswap > defaults0 0 > tmpfs /tmptmpfs defaults0 0 > > Removed other options it should have, but defaults do not include > nosuid,nodev,noexec. You obviously customized the install or changed it post installation as this is not the default way it gets setup. Below is the filesystem setup when using all the default options (no customization): # df -hP FilesystemSize Used Avail Use% Mounted on rootfs5.5G 2.1G 3.4G 39% / udev 495M 0 495M 0% /dev tmpfs 502M 272K 501M 1% /dev/shm tmpfs 502M 612K 501M 1% /run /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% / tmpfs 502M 0 502M 0% /sys/fs/cgroup tmpfs 502M 0 502M 0% /media /dev/sda1 485M 30M 430M 7% /boot /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /tmp /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /var/tmp /dev/mapper/vg_fedora15test-lv_root 5.5G 2.1G 3.4G 39% /home Despite what the above looks like, /tmp is actually part of the root filesystem. Yes, of course you can change your setup post install or if you're daring enough during the install, but that wasn't the point of the research. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
Hello. After posting the flaw with libvte's handling of the scrollback buffer (writing it to disk), there were several people who made the erroneous claim that most distributions of Linux use tmpfs now and encrypt swap and that this shouldn't be an issue. Because these claims attempted to diminish the importance of the flaw for many, I installed most of the popular distributions of Linux as well as some of the BSDs for comparison to see what their default setup was after installation. I have found that of the 35+ distribution versions that I tested, only the latest Arch Linux puts /tmp on tmpfs by default and the only other distributions that show it as an option during installation are Mageia or PC Linux OS. So the libvte flaw indeed is a widespread problem. I've documented the results at: http://www.climagic.org/bugreports/libvte-flaw-distro-defaults-chart.html You can view the libvte bug report here: http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html Extra Note: I'm not suggesting that everyone put their /tmp on tmpfs and/or start using encrypted filesystem. There are other considerations which I talk about in the document above. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk
On Wed, Mar 07, 2012 at 01:12:04AM GMT, coderman [coder...@gmail.com] said the following: > On Tue, Mar 6, 2012 at 1:46 PM, Mark Krenz wrote: > > Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based > > terminals write scrollback buffer data to /tmp filesystem > > temp data in /tmp ? i'm shocked, SHOCKED! > > *cough* I think you misread that as temp. It says term. Might want to get your eyes checked. ;-) -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based terminals write scrollback buffer data to /tmp filesystem Report date: 2011-03-06 Reported by: Mark Krenz Severity: High depending on use and expectations Software: libVTE v0.21.6 and later (since September 17th, 2009) Copy of report available at: http://www.climagic.com/bugreports/libvte-scrollback-written-to-disk.html Affected software: --- gnome-terminal terminator xfce4-terminal guake evilvte lilyterm sakura termit Anything else that uses libVTE for a terminal widget. Summary: --- Due to the way the history buffer is saved in terminal emulators using libVTE after version 0.21.6, data from inside your terminal window can end up on your local filesystem. This is most likely unexpected behavior in a terminal emulator and represents a very significant security issue. Worse case scenario: --- Classified, secret or medical information that was accessed through a terminal window was thought to be safe because it was on a remote server and only accessed via SSH, but now its also on the hard drive that is for sale online or stolen without having been wiped because this issue was not accounted for. References: --- http://ftp.gnome.org/pub/GNOME/sources/vte/0.21/vte-0.21.6.changes https://bugzilla.gnome.org/show_bug.cgi?id=664611 https://bugzilla.gnome.org/show_bug.cgi?id=631685 https://bugzilla.xfce.org/show_bug.cgi?id=8183 https://plus.google.com/u/0/104947878052533251426/posts/Q9JmPiEckD9 http://www.climagic.com/bugreports/libvte-scrollback-written-to-disk.html Video demonstration: --- I felt that this problems caused by this flaw can't be stressed enough and made a video demonstrating this problem. It can be viewed at: http://www.youtube.com/watch?v=LgNLHskYvVE Description: --- The libVTE library implements the virtual terminal widget that is used by many widely used terminal emulators. This library handles how text is displayed within the terminal and also handles how the scrollback buffer is saved. On September 17th, 2009 a change was committed to libVTE by Behdad Esfahbod that altered the way the scrollback buffer was implemented in libVTE. The new way creates a file in the /tmp filesystem and immediately unlinks it. This is not an uncommon way of handling tmp files, however there are probably many people who would not expect data from within the terminal window to be written to disk. There is a sense of trust that the data in the terminal is only stored in memory and is cleared when the computer is shut off. In a sense, this bug is allowing the data to "break the forth wall". I discovered this issue in November of 2011 while talking about uses for the lsof command on the @climagic Twitter account. I immediately found which software was the culprit and submitted a bug reports to Gnome's Bugzilla. The response so far has been that the developer doesn't not consider this a bug. I also wrote to Behdad Esfahbod about the issue but have not heard back from him. I was giving these people a bit of time to respond or resolve the issue, but apparently that isn't going to happen without making a bigger deal of it. Other knowledgeable security people have considered this a major security issue. Daniel Gillmor brought this security issue up with the libvte developer Behdad Esfahbod, in June of 2011 in bug #631685, but didn't seem to convince Behdad that the code needed to be changed. Behdad indicated at the time that he wasn't planning on working on libVTE in the future. There have been a few posts in recent months in this bug report about seeing if something can be done in the kernel, but the two developers discussing it seem to be convinced that its OK to write this data to disk. Some may not consider this a bug and make the excuse that your terminal's memory stack may end up in swap anyways, or that only root would have access to the data or that you should encrypt /tmp. However due to the wide variety of ways in which people implement security on their systems, knowledge of this issue is essential to everyone who uses one of these affected terminal emulators. With as much memory as we have on modern hardware, some people simply turn off swap, which avoids the stack in swap issue. But those people may not know about this scrollback buffer issue. Testing and reproducing the issue: -