[OTR-dev] private messages on dbus

[Dimitris Glynos]

On 12/21/2011 02:49 AM, Dimitris Glynos wrote:
> On 12/21/2011 01:11 AM, khc at hxbc.us wrote:
>> On Tue, 20 Dec 2011 12:02:38 +0200, Dimitris Glynos wrote:
>>> Hello all,
>>>
>>> I was wondering if pidgin could allow for certain chat types
>>> to be flagged as private and not transmit these over dbus.
>>> I don't know how much dbus is hardwired to pidgin (is it used
>>> also for capturing the messages displayed on the pidgin GUI?)
>>> but the fact that a local attacker can access OTR plaintext
>>> from a dbus session monitor is quite unnerving.
>>
>> a local attacker can already ptrace the pidgin process and do
>> pretty much anything.
> 
> Yes, the word 'local' is used incorrectly in the original post.
> Consider a remote attacker that exploits some app running
> in the same desktop session as pidgin. It is trivial
> to fork-exec a dbus session monitor from there and retrieve the
> sensitive info.
> 
> Now, regarding ptrace although it was generally possible in
> the past to attach to processes of the same user, this has
> been restricted somewhat in modern distro's. Specifically,
> distro's like Ubuntu allow (non-root) ptrace only to
> processes that are children of the ptrace-caller.
> 
> For more info on this, have a look here:
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection
> 
> Hope this clarifies things a bit,

Coming back to this after a while. You may now find an advisory
and a proof-of-concept script for the DBUS info leak here:

http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/

This issue has received CVE-2012-1257.

It would be good to see this issue addressed in the next release
of pidgin and pidgin-otr. Most users would be surprised to find
that their private chatting is somehow accessible to other apps..

Best regards,

Dimitris
--
http://census-labs.com -- IT security research, development and services