D12937: Drop privileges when reading the salt file
Albert Astals Cid
noreply at phabricator.kde.org
Wed May 16 22:56:49 UTC 2018
aacid created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.
aacid requested review of this revision.
REVISION SUMMARY
As found by Matthias Gerstner the user here controls nearly everything:
- he controls his own password
- he controls where the salt is read from
- he can read the final salted hash (e.g. by calling strace() on kwalletd at the right time)
By using this fact he can do the following things:
- test for existence of files in locations otherwise not accessible
- exploit an information leak. 56 bytes of root owned files will be provided to him in the form of a salted hash. He won't be able to easily retrieve the original "salt" again. But if the "salt" comes from a well structured input file then the possible input combinations can suddenly be quite limited and a brute force attack can be feasible to gain knowledge of certain root-owned data.
- the fact that the user can cause a root-owned process to read 56 bytes from an arbitrary file in the system could have other side effects depending on the situation in the system. E.g. FUSE, pseudo file systems or device files might react specially to this.
This is a very theoretical attack, but since it's reasonable easy to fix it, let's do it :)
TEST PLAN
kwallet-pam still works
REPOSITORY
R107 KWallet PAM Integration
BRANCH
master
REVISION DETAIL
https://phabricator.kde.org/D12937
AFFECTED FILES
pam_kwallet.c
To: aacid
Cc: plasma-devel, ragreen, Pitel, ZrenBot, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20180516/4c11a43a/attachment.html>
More information about the Plasma-devel
mailing list