[Bug 1881982] Re: memory exhaustion in parse_report()
** Description changed: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. - ## Vulnerability in whoopsie - - It was discovered that whoopsie incorrectly handled certain malformed crash files. If a user using whoopsie were tricked into parsing and uploading a specially crafted crash file, an attacker could exploit this to cause a denial of service. + # Vulnerability description + The parse_report() function in whoopsie.c allows attackers to cause a denial of service (memory leak) via a crafted file. + Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. + This results in the process being terminated by the OOM killer. - ## Basic - When a program has been crashed, Linux system tries to create a '.crash' file on '/var/crash/' directory with python script located in '/usr/share/apport/apport'. - The file contains a series of system crash information including core dump, syslog, stack trace, memory map info, etc. - A user is given read and write permission to the file. - After then, whoopsie parses key-value pairs in ‘.crash’ file and encodes it into binary json (bson) format. - Lastly, whoopsie forwards the data to a remotely connected Ubuntu error report system. - ## Vulnerability + # Details We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. - ## Attack + [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g + -hash-table-insert + + + # PoC (*Please check the below PoC: whoopsie_killer.py) 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. 2) Trigger the whoopsie to read the generated crash file. 3) After then, the whoopsie process has been killed. - ## Mitigation + + # Mitigation (*Please check the below patch: g_hash_table_memory_leak.patch) We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, - - [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g - -hash-table-insert ** Summary changed: - memory exhaustion in parse_report() + DoS vulnerability: cause resource exhaustion -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: DoS vulnerability: cause resource exhaustion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881982] Re: memory exhaustion in parse_report()
Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary process. This results in the process being terminated by the OOM killer. Please check the following PoC: whoopsie_killer.py ** Attachment removed: "memory leak poc" https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+attachment/5380170/+files/memory_leak_poc.py ** Attachment added: "whoopsie_killer.py" https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+attachment/5384875/+files/whoopsie_killer.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: memory exhaustion in parse_report() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: integer overflow in whoopsie 0.2.69
I am utilizing the 8GB of RAM and pre-compiled version of Ubuntu 18.04. Could you tell me how much ram do you have in that machine? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872560 Title: integer overflow in whoopsie 0.2.69 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881982] Re: memory exhaustion in parse_report()
** Description changed: Hi, I have found a security issue on whoopsie 0.2.69 and earlier. ## Vulnerability in whoopsie - - whoopsie 0.2.69 and earlier have a memory leak vulnerability. - - An attacker can cause a denial of service (application crash) via a crafted .crash file. + - It was discovered that whoopsie incorrectly handled certain malformed crash files. If a user using whoopsie were tricked into parsing and uploading a specially crafted crash file, an attacker could exploit this to cause a denial of service. ## Basic When a program has been crashed, Linux system tries to create a '.crash' file on '/var/crash/' directory with python script located in '/usr/share/apport/apport'. The file contains a series of system crash information including core dump, syslog, stack trace, memory map info, etc. A user is given read and write permission to the file. After then, whoopsie parses key-value pairs in ‘.crash’ file and encodes it into binary json (bson) format. Lastly, whoopsie forwards the data to a remotely connected Ubuntu error report system. ## Vulnerability We have found a memory leak vulnerability during the parsing the crash file, when a collision occurs on GHashTable through g_hash_table_insert(). According to [1], if the key already exists in the GHashTable, its current value is replaced with the new value. If 'key_destory_func' and 'value_destroy_func' are supplied when creating the table, the old value and the passed key are freed using that function. Unfortunately, whoopsie does not handle the old value and the passed key when collision happens. If a crash file contains same repetitive key-value pairs, it leads to memory leak as much as the amount of repetition and results in denial-of-service. ## Attack - 1) Create a fake.crash file - memory_leak_poc.py script measures an available memory and generates a malicious crash file that contains same repetitive key-value pairs as much as 20% of the available memory size; 'ProblemType: Crash'. - 20% indicates arbitrary amount of the memory leakage. - 2) Before the attack, the script checks memory usage of whoopsie process with psutil - 3) It triggers the whoopsie to read the fake.crash file - 4) Then, it measures the memory usage of whoopsie process - 5) It results in denial-of-service and then other users can no longer report crash to the Ubuntu error report system. + 1) Generates a certain malformed crash file that contains same repetitive key-value pairs. + 2) Trigger the whoopsie to read the generated crash file. + 3) After then, the whoopsie process has been killed. ## Mitigation We should use g_hash_table_new_full() with ‘key_destroy_func’ and ‘value_destroy_func’ functions instead of g_hash_table_new(). Otherwise, before g_hash_table_insert(), we should check the collision via g_hash_table_lookup_extended() and obtain pointer to the old value and remove it. Sincerely, [1] https://developer.gnome.org/glib/stable/glib-Hash-Tables.html#g -hash-table-insert -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: memory exhaustion in parse_report() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881982] Re: memory exhaustion in parse_report()
** Summary changed: - Memory leak in parse_report() + memory exhaustion in parse_report() -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: memory exhaustion in parse_report() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881982] Re: Memory leak in parse_report()
This vulnerability may cause a memory exhaustion vulnerability in the function parse_report() in whoopsie.c, which allows attackers to cause a denial of service. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: Memory leak in parse_report() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881982] Re: Memory leak in parse_report()
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881982 Title: Memory leak in parse_report() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1881982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877023] Re: Unhandled exception in check_ignored()
** Also affects: apport Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877023 Title: Unhandled exception in check_ignored() To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1877023/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1876659] Re: Unhandled exception in run_hang()
** Also affects: apport Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876659 Title: Unhandled exception in run_hang() To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1876659/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877023] Re: Unhandled exception in check_ignored()
** Project changed: apport => apport (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877023 Title: Unhandled exception in check_ignored() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1877023/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: integer overflow in whoopsie 0.2.69
Sure. This issue is also reproducible with pre-compiled version of 0.2.62ubuntu0.4. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872560 Title: integer overflow in whoopsie 0.2.69 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: integer overflow in whoopsie 0.2.69
Thank you for your reply. Please check the following video. https://youtu.be/pGfOzcgd5CU It also affects on whoopsie 0.2.69. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872560 Title: integer overflow in whoopsie 0.2.69 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1876659] [NEW] Unhandled exception in run_hang()
Public bug reported: ## Description When we start apport-cli without PID, an unhandled exception in apport 2.20.11 and earlier may allow an authenticated user to potentially enable a denial of service via local access. The following command may cause an application crash due to an unhandled exception. $ apport-cli --hanging *** Send problem report to the developers? After the problem report has been sent, please fill out the form in the automatically opened web browser. What would you like to do? Your options are: S: Send report (24.0 KB) V: View report K: Keep report file for sending later or copying to somewhere else I: Cancel and ignore future crashes of this program version C: Cancel Please choose (S/V/K/I/C): K Problem report file: /tmp/apport.apport.uc0_znhj.apport Traceback (most recent call last): File "/usr/bin/apport-cli", line 387, in if not app.run_argv(): File "/usr/lib/python3/dist-packages/apport/ui.py", line 690, in run_argv self.run_hang(self.options.pid) File "/usr/lib/python3/dist-packages/apport/ui.py", line 410, in run_hang os.kill(int(pid), signal.SIGKILL) TypeError: int() argument must be a string, a bytes-like object or a number, not 'NoneType' Above command generates the following application crash file in /var/crash/ directory. ProblemType: Crash CurrentDesktop: ubuntu:GNOME Date: Sun May 3 19:09:41 2020 ExecutablePath: /usr/bin/apport-cli ExecutableTimestamp: 1585099033 InterpreterPath: /usr/bin/python3.6 ProcCmdline: /usr/bin/python3 /usr/bin/apport-cli --hanging ProcCwd: /home/user/apport/bin ProcEnviron: ... ProcMaps: ... ProcStatus: ... PythonArgs: ['/usr/bin/apport-cli', '--hanging'] Traceback: Traceback (most recent call last): File "/usr/bin/apport-cli", line 387, in if not app.run_argv(): File "/usr/lib/python3/dist-packages/apport/ui.py", line 690, in run_argv self.run_hang(self.options.pid) File "/usr/lib/python3/dist-packages/apport/ui.py", line 410, in run_hang os.kill(int(pid), signal.SIGKILL) TypeError: int() argument must be a string, a bytes-like object or a number, not 'NoneType' UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo _LogindSession: 6 Many thanks. ** Affects: apport (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876659 Title: Unhandled exception in run_hang() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1876659/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: integer overflow in whoopsie 0.2.69
** Summary changed: - heap-based buffer overflow in bson.c + integer overflow in whoopsie 0.2.69 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872560 Title: integer overflow in whoopsie 0.2.69 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: heap-based buffer overflow in bson.c
I would like to update the contents of 'Attack Scenario'.
from:
$ python -c "print('A' * 0x + ' : ' + 'B')" > /var/crash/fake.crash
to:
$ python -c "print('A' * 0xFFFE + ' : ' + 'B')" > /var/crash/fake.crash
Segfault can arise when the following requirements are met, as I mentioned
above.
- length of ‘value’ in .crash file => 0 < {length of ‘value’} < 1024
- length of ‘key’ in .crash file => UINT32_MAX - {length of ‘value’} - 7 <
{length of ‘key’} < UINT32_MAX
Please check this issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872560
Title:
heap-based buffer overflow in bson.c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872560] Re: heap-based buffer overflow in bson.c
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872560 Title: heap-based buffer overflow in bson.c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
CVE-2019-13604 and CVE-2019-13621 have been assigned. Please check the following PoC: https://github.com/sungjungk/fp-scanner-hacking https://github.com/sungjungk/fp-img-key-crack ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13604 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13621 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
In Ubuntu, that would be good. Btw, I would like to request escalate importance. I think that this issue can be even more important than password exposure in cleartext. Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. Then, it severely affects applications beyond the package responsible for the root cause. What do you think of it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
It is demo video: https://www.youtube.com/watch?v=Grirez2xeas -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
Please check the following PoC. https://github.com/sungjungk/fp-img-deobfuscator -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
It seems that the uru4000 driver is affected by a weak? or broken? obfuscation feature, allowing MITM attackers to discover user's precious fingerprint images. ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
What do you think of this issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818936] Re: Found hard-coded secret-key for challenge-response on libfprint
It is https://gitlab.freedesktop.org/libfprint/libfprint/issues/151 ** Bug watch added: gitlab.freedesktop.org/libfprint/libfprint/issues #151 https://gitlab.freedesktop.org/libfprint/libfprint/issues/151 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818936 Title: Found hard-coded secret-key for challenge-response on libfprint To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] Re: Found broken a feature for fingerprint image obfuscation
Could you check the following link? https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/47 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819406] [NEW] Found broken a feature for fingerprint image obfuscation
Public bug reported: Dear all, In this package, a random seed is used for generation key for obfuscating a fingerprint image in uru4000 driver. Unfortunately, it seems that the seed always exhibits the same sequence of numbers each time since it is generated from rand() in libc by default. Then I reported this issue to the upstream with the patch. However, the maintainer insists that the obfuscation-feature can be broken since the key for encryption is composed of just 4-bytes length. Thus, there is no need to patch about random seed anyway. It's pretty weird to say that. Would it be all right if I leave this as it is? Many thanks!! ** Affects: libfprint (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819406 Title: Found broken a feature for fingerprint image obfuscation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1819406/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818936] Re: Found hard-coded secret-key for challenge-response on libfprint
Okay! I just reported it to upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818936 Title: Found hard-coded secret-key for challenge-response on libfprint To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818938] Re: Found storing user fingerprints as raw image files
Okay! I just reported it to upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818938 Title: Found storing user fingerprints as raw image files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818938/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818936] Re: Found hard-coded secret-key for challenge-response on libfprint
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818936 Title: Found hard-coded secret-key for challenge-response on libfprint To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818938] Re: Found storing user fingerprints as raw image files
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818938 Title: Found storing user fingerprints as raw image files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818938/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818938] [NEW] Found storing user fingerprints as raw image files
Public bug reported: Dear all, Currently, libfprint saves a fingerprint image (FP1 or 2?) to a file on the host without any encryption. Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. It is necessary to prepare for the problem. Especially, when I use `fp_print_data_save()` using libfprint library for enrolling my fingerprints, the image is saved in user’s home directory without any protection scheme. Though `fprintd` generates fingerprint image with root permission for protecting the file from attackers, it is not of itself sufficient. FYI, similar issues on Android have been reported and cryptographic operations are introduced to encrypt fingerprint (see [1-2]). [1] https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf [2] https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/ Lastly, is it a kind of `CWE-311: Missing Encryption of Sensitive Data`? (see https://cwe.mitre.org/data/definitions/311.html) Many thanks!! ** Affects: libfprint (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818938 Title: Found storing user fingerprints as raw image files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818938/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1818936] [NEW] Found hard-coded secret-key for challenge-response on libfprint
Public bug reported:
Dear all,
We need to fix hard-coded symmetric-key for challenge-response
authentication on `uru4000 driver`.
The driver uses a symmetric-key technique to encrypt the challenge data
using AES encryption algorithm for authentication.
"2nd generation MS devices added an AES-based challenge/response authentication
scheme, where the device challenges the authenticity of the driver."
link:
https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L348
Unfortunately, the driver creates risk by exposing a hard-coded secret
key as follows:
/* For 2nd generation MS devices */
static const unsigned char crkey[] = {
0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
};
link:
https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L150
If the library wants to use challenge-response authentication, we need
to introduce a new key distribution scheme also.
Furthermore, I don't know why the library is really necessary to use it
such a resource constrained environment.
Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see
https://cwe.mitre.org/data/definitions/321.html)
Many thanks!!
** Affects: libfprint (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1818936
Title:
Found hard-coded secret-key for challenge-response on libfprint
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/1818936/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1780365] Re: Credentials located in gnome-keyring can be compromised easily
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1780365 Title: Credentials located in gnome-keyring can be compromised easily To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1772919] Re: pam-gnome-keyring.so reveals user’s password credential as a plaintext form
Please check the attached patch applied on gnome-keyring 3.28. (see https://bug781486.bugzilla-attachments.gnome.org/attachment.cgi?id=350049) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1772919 Title: pam-gnome-keyring.so reveals user’s password credential as a plaintext form To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1780365] Re: Credentials located in gnome-keyring can be compromised easily
** Description changed: Dear all, I figure out that login credentials, located in gnome-keyring, can be easily compromised. Linux based on Gnome basically uses ‘gnome-keyring’ as their backend to store login credentials in a secure manner. Specifically, google-chrome browser, network-manager and gnome-online-accounts use this as a backend solution to store login credentials. - To use this, authentication is performed together with gnome-keyring as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down or logged out. In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without any privilege escalation, listening into the X events going to another window, or installation an application on target computer. + To use this, authentication is performed together with gnome-keyring as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down or logged out. In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without any privilege escalation, listening into the X events going to another window, or installation an application on target computer. (please check PoC source https://github.com/sungjungk/keyring_crack and video https://youtu.be/Do4E9ZQaPck) The issue is different from the content shown on the Ubuntu Security FAQ and GnomeKeyring Wiki [1][2]. It was even said that “PAM session is closed via the screensaver, all keyrings are locked, and the ‘login’ keyring is unlocked upon successful authentication to the screensaver”. After trying to crack the keyring, it was far from what they really thought. It is no different than plain text file for login credentials somewhere on disk. To deal with, the root cause of the problem is that ‘Secret Service API’ on anyone can be easily accessed on DBus API. If access control is enabled, only well-known? or authorized processes, such as google- chrome, network-manager, and gnome-online-accounts, will be able to access the login credentials. DBus originally provides capability that is essential to access control of DBus API by defining security policy as a form of *.conf file. Currently, various services based on DBus interface are employing above security policy feature to perform access control. For example, login/system related functions is controlled from ‘login1’ and its security policy is described in “org.freedesktop.login1.conf”. (see https://github.com/systemd/systemd/blob/master/src/core/org.freedesktop.systemd1.conf) Likewise, why don’t we try adopting the access control of secret service API into gnome-keyring environment? Due to the fact that a process with root privilege can access “.conf” file, an approved program may only update the target file during installation process Here is really simple ‘org.freedesktop.secrets.conf’ example. = http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;> + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;> - + - + + + - - + + - - - - - - + + + = - Many Thanks!! [1] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact [2] https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-keyring 3.28.0.2-1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Thu Jul 5 17:45:22 2018 InstallationDate: Installed on 2018-07-06 (0 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR= - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR= + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) ** Information type changed from Public to Private Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1780365 Title: Credentials located in gnome-keyring can be compromised easily To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365/+subscriptions --
[Bug 1780365] [NEW] Credentials located in gnome-keyring can be compromised easily
Public bug reported: Dear all, I figure out that login credentials, located in gnome-keyring, can be easily compromised. Linux based on Gnome basically uses ‘gnome-keyring’ as their backend to store login credentials in a secure manner. Specifically, google-chrome browser, network-manager and gnome-online-accounts use this as a backend solution to store login credentials. To use this, authentication is performed together with gnome-keyring as part of ‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut down or logged out. In this state, a simple program that uses ‘Secret Service API’ call and their ‘D-Bus’ interface can easily retrieve login credentials from those gnome-keyring without any privilege escalation, listening into the X events going to another window, or installation an application on target computer. (please check PoC source https://github.com/sungjungk/keyring_crack and video https://youtu.be/Do4E9ZQaPck) The issue is different from the content shown on the Ubuntu Security FAQ and GnomeKeyring Wiki [1][2]. It was even said that “PAM session is closed via the screensaver, all keyrings are locked, and the ‘login’ keyring is unlocked upon successful authentication to the screensaver”. After trying to crack the keyring, it was far from what they really thought. It is no different than plain text file for login credentials somewhere on disk. To deal with, the root cause of the problem is that ‘Secret Service API’ on anyone can be easily accessed on DBus API. If access control is enabled, only well-known? or authorized processes, such as google- chrome, network-manager, and gnome-online-accounts, will be able to access the login credentials. DBus originally provides capability that is essential to access control of DBus API by defining security policy as a form of *.conf file. Currently, various services based on DBus interface are employing above security policy feature to perform access control. For example, login/system related functions is controlled from ‘login1’ and its security policy is described in “org.freedesktop.login1.conf”. (see https://github.com/systemd/systemd/blob/master/src/core/org.freedesktop.systemd1.conf) Likewise, why don’t we try adopting the access control of secret service API into gnome-keyring environment? Due to the fact that a process with root privilege can access “.conf” file, an approved program may only update the target file during installation process Here is really simple ‘org.freedesktop.secrets.conf’ example. = http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;> = Many Thanks!! [1] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact [2] https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-keyring 3.28.0.2-1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Thu Jul 5 17:45:22 2018 InstallationDate: Installed on 2018-07-06 (0 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: gnome-keyring (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1780365 Title: Credentials located in gnome-keyring can be compromised easily To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 566075] Re: no way to specify the password
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/566075 Title: no way to specify the password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linphone/+bug/566075/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
