[OTR-dev] private messages on dbus

Byrd, Brendan Byrd.B at insightcom.com
Mon Feb 27 12:28:14 EST 2012 

Wait, are we talking about the potential for an attacker to:

1. Load a Trojan/Virus on their PC that allows remote access
2. ...Who the $^#% cares at that point?!

Once security has been breached at point #1, it doesn't matter.  The PC is already impacted.  Re-format, restart, reload, and change all of your security information, passwords, keys, etc.

The private key is already vulnerable.  Hell, -memory- is already vulnerable.  Everything is in plaintext if you find the right memory location.  There's no way to fix that, especially if the attacker has admin/root access.  Everything is compromised.  There's no point in trying to lock down the app for that sort of critical security failure.

"The best way to protect a server is to unplug the network cable, put it in a lock box, throw away the key, and bury it.  Even then, there's still a small chance it might be compromised."

--
Brendan Byrd <byrd.b at insightcom.com>
System Integration Analyst (NOC Web Developer)

-----Original Message-----
From: otr-dev-bounces at lists.cypherpunks.ca [mailto:otr-dev-bounces at lists.cypherpunks.ca] On Behalf Of Dimitris Glynos
Sent: Saturday, February 25, 2012 11:20 AM
To: devel at pidgin.im
Cc: otr-dev at lists.cypherpunks.ca
Subject: Re: [OTR-dev] private messages on dbus

On 12/21/2011 02:49 AM, Dimitris Glynos wrote:
> On 12/21/2011 01:11 AM, khc at hxbc.us wrote:
>> On Tue, 20 Dec 2011 12:02:38 +0200, Dimitris Glynos wrote:
>>> Hello all,
>>>
>>> I was wondering if pidgin could allow for certain chat types to be 
>>> flagged as private and not transmit these over dbus.
>>> I don't know how much dbus is hardwired to pidgin (is it used also 
>>> for capturing the messages displayed on the pidgin GUI?) but the 
>>> fact that a local attacker can access OTR plaintext from a dbus 
>>> session monitor is quite unnerving.
>>
>> a local attacker can already ptrace the pidgin process and do pretty 
>> much anything.
> 
> Yes, the word 'local' is used incorrectly in the original post.
> Consider a remote attacker that exploits some app running in the same 
> desktop session as pidgin. It is trivial to fork-exec a dbus session 
> monitor from there and retrieve the sensitive info.
> 
> Now, regarding ptrace although it was generally possible in the past 
> to attach to processes of the same user, this has been restricted 
> somewhat in modern distro's. Specifically, distro's like Ubuntu allow 
> (non-root) ptrace only to processes that are children of the 
> ptrace-caller.
> 
> For more info on this, have a look here:
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Pr
> otection
> 
> Hope this clarifies things a bit,

Coming back to this after a while. You may now find an advisory and a proof-of-concept script for the DBUS info leak here:

http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/

This issue has received CVE-2012-1257.

It would be good to see this issue addressed in the next release of pidgin and pidgin-otr. Most users would be surprised to find that their private chatting is somehow accessible to other apps..

Best regards,

Dimitris
--
http://census-labs.com -- IT security research, development and services _______________________________________________
OTR-dev mailing list
OTR-dev at lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

More information about the OTR-dev mailing list