[Konsole-devel] [Bug 68742] New: Information leak of keystrokes.
Hugo van Galen
hugo at homebaze.net
Fri Nov 21 16:25:42 UTC 2003
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugs.kde.org/show_bug.cgi?id=68742
Summary: Information leak of keystrokes.
Product: konsole
Version: 1.2.3
Platform: Compiled Sources
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
AssignedTo: konsole-devel at kde.org
ReportedBy: hugo at homebaze.net
Version: 1.2.3 (using KDE KDE 3.1.4)
Installed from: Compiled From Sources
Compiler: 2.95.3
OS: Linux
The Konsole-application leaks information; every single keystroke that is typed into the terminal emulation screen is visible in /proc/kcore.
Of course, you have to be root to be able to view the kernel memory, but there are some security- and privacy concerns nonetheless.
Every password or passphrase that is used when you SSH or telnet to a machine from the Konsole screen, is all ``logged'' into kernel memory.
An example; all done from within Konsole:
1. SSH or telnet to a machine you have a root-password to.
2. ``su -'' to root.
3. Type exit twice to return to the local prompt.
Then, as root,
4. Do ``less /proc/kcore'' and look for ``ssh hostname'' (the thing you typed in to connect to the machine). See the ``su -'' command near it? And the password you used next to it?
Not a desirable feature, as this would enable ``root'' to spy on the passphrases, passwords, etc. that are used in *any* Konsole screen.
The consequences of this bug are obvious.
More information about the konsole-devel
mailing list