<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



On Mon, Oct 24, 2005 at 04:15:02PM +0200, TAKAHASHI Tamotsu wrote:
>  pgppasswd.txt:
>  =========================================
>  PGP message successfully decrypted.
>  ]9;1130148457
>  mutt
>  mutt
>  /home/tamo/.mutt/pgp
>  <password>
>  /home/tamo/.terminfo
[SNIP]
>  pgppasswd.2.txt:
>  =========================================
>  1234567890
>  1234567890
>  1234567890
>  1234567890
>  1234567890
>  <password>
>  /home/tamo/.terminfo
[SNIP]
 
>  So, if the machine you are running mutt is stolen, the disc may
>  contain your plain passphrase.  Is this realistic? I don't know.
>  But it was so easy that I could demonstrate.  If the thief knows a
>  part of your passphrase, he can grep it like I did.

Worse yet...  If an attacker can gain root via any sort of local
compromise, or a remote one, they can read it from swap.  My guess is
that the passphrase will always appear in roughly the same place in
relation to the strings you have there...  All the attacker really
needs to do is look for those, and/or look for strings that look like
passphrases ( i.e. seem out of place in the context of mutt, and look
like something someone might use as a passphrase).  We know the
username... the home directory is given in the swap file right along
with the passphrase.  Now the attacker who has gained root can
identify the user, get a physical copy of (in all likelihood) both
public and private key, and has the passphrase.  With only root
access without this exploit, the keys are available, but the
passphrase remains unknown.

So to add insult to injury, now your system is compromised, and all
your sensitive documents are too (which may well contain encrypted
credentials for accessing other sensitive information, like your
on-line banking account, etc.).

This is bad.  This is precisely the sort of attack I was concerned
about.  Of course, that's theoretical.  My guess is it's very unlikely
someone will successfully exploit this against real users.  That said,
it would suck if it happened to you...  

The question is, as Thomas correctly points out, what can reasonably
done about it?  The usual method of preventing this sort of thing
involves locking a segment of memory so that it can not swap.  On most
systems I'm familiar with, that requires root privileges (otherwise a
DoS could ensue where a user allocates all the available RAM and locks
it in memory).  So Mutt would need to be SUID root for that to work.
Not good.  Then, any small security hole in mutt potentially becomes a
root compromise.  Not good at all.

Probably the best solution is to use something like gpgagent, if it
does indeed protect against this (which it should).  Still, if someone
can think of a reasonable solution, I'd like to see it.

The only semi-reasonable solution I can think of is to have mutt SUID,
allocate a block of memory for storing the passphrase as soon as
humanly possible, and drop privileges immediately.  The amount of
exposed code should be very minimal...

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpHKTMREr2P8.pgp
Description: PGP signature