[OTR-dev] private messages on dbus
Byrd, Brendan
Byrd.B at insightcom.com
Mon Feb 27 12:28:14 EST 2012
Wait, are we talking about the potential for an attacker to:
1. Load a Trojan/Virus on their PC that allows remote access
2. ...Who the $^#% cares at that point?!
Once security has been breached at point #1, it doesn't matter. The PC is already impacted. Re-format, restart, reload, and change all of your security information, passwords, keys, etc.
The private key is already vulnerable. Hell, -memory- is already vulnerable. Everything is in plaintext if you find the right memory location. There's no way to fix that, especially if the attacker has admin/root access. Everything is compromised. There's no point in trying to lock down the app for that sort of critical security failure.
"The best way to protect a server is to unplug the network cable, put it in a lock box, throw away the key, and bury it. Even then, there's still a small chance it might be compromised."
--
Brendan Byrd <byrd.b at insightcom.com>
System Integration Analyst (NOC Web Developer)
-----Original Message-----
From: otr-dev-bounces at lists.cypherpunks.ca [mailto:otr-dev-bounces at lists.cypherpunks.ca] On Behalf Of Dimitris Glynos
Sent: Saturday, February 25, 2012 11:20 AM
To: devel at pidgin.im
Cc: otr-dev at lists.cypherpunks.ca
Subject: Re: [OTR-dev] private messages on dbus
On 12/21/2011 02:49 AM, Dimitris Glynos wrote:
> On 12/21/2011 01:11 AM, khc at hxbc.us wrote:
>> On Tue, 20 Dec 2011 12:02:38 +0200, Dimitris Glynos wrote:
>>> Hello all,
>>>
>>> I was wondering if pidgin could allow for certain chat types to be
>>> flagged as private and not transmit these over dbus.
>>> I don't know how much dbus is hardwired to pidgin (is it used also
>>> for capturing the messages displayed on the pidgin GUI?) but the
>>> fact that a local attacker can access OTR plaintext from a dbus
>>> session monitor is quite unnerving.
>>
>> a local attacker can already ptrace the pidgin process and do pretty
>> much anything.
>
> Yes, the word 'local' is used incorrectly in the original post.
> Consider a remote attacker that exploits some app running in the same
> desktop session as pidgin. It is trivial to fork-exec a dbus session
> monitor from there and retrieve the sensitive info.
>
> Now, regarding ptrace although it was generally possible in the past
> to attach to processes of the same user, this has been restricted
> somewhat in modern distro's. Specifically, distro's like Ubuntu allow
> (non-root) ptrace only to processes that are children of the
> ptrace-caller.
>
> For more info on this, have a look here:
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Pr
> otection
>
> Hope this clarifies things a bit,
Coming back to this after a while. You may now find an advisory and a proof-of-concept script for the DBUS info leak here:
http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/
This issue has received CVE-2012-1257.
It would be good to see this issue addressed in the next release of pidgin and pidgin-otr. Most users would be surprised to find that their private chatting is somehow accessible to other apps..
Best regards,
Dimitris
--
http://census-labs.com -- IT security research, development and services _______________________________________________
OTR-dev mailing list
OTR-dev at lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
More information about the OTR-dev
mailing list