Password appears on the VT1 screen
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | gdm3 (Ubuntu) |
High
|
Unassigned | ||
| | plymouth (Ubuntu) |
High
|
Unassigned | ||
| | systemd (Ubuntu) |
High
|
Unassigned | ||
Bug Description
[Impact]
* The keyboard on the graphical login screen started on VT1 may stop working and or keypresses including passwords are leaked to the terminal console running 'behind' the graphical login screen or environment.
[Test Case]
* Reboot after installing the fixed systemd package.
* Install sysdig
* Start sysdig on a remote connection or on a terminal console:
$ sudo sysdig evt.type=ioctl | grep request=4B4
* While sysdig is running log in and out 3 times in GDM and press a few keys in the graphical session to see if keyboard still works
* Log in and out on an other terminal console, too, running a few commands while being logged in to ensure that keyboard is working.
* Observe that on terminal consoles the monitored keyboard setter ioctl is called with argument=3, but where the graphical screen is active only argument=4 is used, unlike with the buggy version observed in https:/
[Regression Potential]
* The fix checks the current keyboard mode of the VT and allows only safe mode switches. The potential regression could be not allowing a valid mode switch keeping a keyboard in a non-operational mode. Testing covers that by typing the keyboard.
(continued from bug 1767918)
This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1.
As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gdm3 3.28.3-
Uname: Linux 4.19.2-
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Nov 19 08:32:59 2018
InstallationDate: Installed on 2018-08-25 (85 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
| Thomas Carlisle (tcarlisle2012) wrote : | #1 |
| Daniel van Vugt (vanvugt) wrote : | #3 |
^^^
That is probably just to verify this really isn't a duplicate of bug 1767918, and that you have the fix for bug 1767918 already.
| summary: |
- GDM is Exploitable as a Password Collector + Password appears on the VT1 screen |
| Changed in gdm3 (Ubuntu): | |
| status: | New → Incomplete |
| Changed in plymouth (Ubuntu): | |
| status: | New → Incomplete |
| Thomas Carlisle (tcarlisle2012) wrote : Re: [Bug 1803993] Re: GDM is Exploitable as a Password Collector | #4 |
Hi Seth,
It is: 0.9.3-1ubunt
On Mon, Nov 19, 2018 at 10:30 PM Seth Arnold <email address hidden>
wrote:
> Hello Thomas, can you please report back what version of plymouth you
> have installed?
>
> dpkg -l plymouth | grep ^ii
>
> Thanks
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> GDM is Exploitable as a Password Collector
>
> Status in gdm3 package in Ubuntu:
> New
>
> Bug description:
> This was found when an administrative error made /home directory
> inaccessible. Any users that tried to login after that, were not able
> to (which is expected) but their password appears on the VT1 screen.
> Under normal circumstances, VT1 is not visible. But once the system
> was sent into this compromised mode, one can press ctrl+alt+F1 and
> then ctrl+alt+F2 and get a momentary glance at VT1. One can keep
> toggling between these key combinations in order to make out the
> password(s) on VT1.
>
> As a further test, I wanted to see if a non-super user could cause
> this condition, and it is in fact possible. As a regular user, I made
> their own home directory not writable and then removed ~/.config and
> logged out. Then logged in as that user again, and although that user
> can't login the system does go into that mode where passwords appear
> on VT1 and are viewable with the key combinations mentioned herein.
> Further, any other users that login will see no problem, but when they
> logon their passwords also appear on VT1 and are viewable.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: gdm3 3.28.3-
> Uname: Linux 4.19.2-
> ApportVersion: 2.20.9-0ubuntu7.5
> Architecture: amd64
> CurrentDesktop: ubuntu:GNOME
> Date: Mon Nov 19 08:32:59 2018
> InstallationDate: Installed on 2018-08-25 (85 days ago)
> InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64
> (20180426)
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: gdm3
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https:/
>
| Seth Arnold (seth-arnold) wrote : | #5 |
Hello Thomas, sadly you only got half of the version number. Can you please paste in the full version number?
Thanks
HI Seth,
Sorry. It is plymouth 0.9.3ubuntu7.
On Tue, Nov 20, 2018 at 5:35 PM Seth Arnold <email address hidden>
wrote:
> Hello Thomas, sadly you only got half of the version number. Can you
> please paste in the full version number?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Password appears on the VT1 screen
>
> Status in gdm3 package in Ubuntu:
> Incomplete
> Status in plymouth package in Ubuntu:
> Incomplete
>
> Bug description:
> This was found when an administrative error made /home directory
> inaccessible. Any users that tried to login after that, were not able
> to (which is expected) but their password appears on the VT1 screen.
> Under normal circumstances, VT1 is not visible. But once the system
> was sent into this compromised mode, one can press ctrl+alt+F1 and
> then ctrl+alt+F2 and get a momentary glance at VT1. One can keep
> toggling between these key combinations in order to make out the
> password(s) on VT1.
>
> As a further test, I wanted to see if a non-super user could cause
> this condition, and it is in fact possible. As a regular user, I made
> their own home directory not writable and then removed ~/.config and
> logged out. Then logged in as that user again, and although that user
> can't login the system does go into that mode where passwords appear
> on VT1 and are viewable with the key combinations mentioned herein.
> Further, any other users that login will see no problem, but when they
> logon their passwords also appear on VT1 and are viewable.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: gdm3 3.28.3-
> Uname: Linux 4.19.2-
> ApportVersion: 2.20.9-0ubuntu7.5
> Architecture: amd64
> CurrentDesktop: ubuntu:GNOME
> Date: Mon Nov 19 08:32:59 2018
> InstallationDate: Installed on 2018-08-25 (85 days ago)
> InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64
> (20180426)
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: gdm3
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https:/
>
| Changed in gdm3 (Ubuntu): | |
| status: | Incomplete → New |
| Changed in plymouth (Ubuntu): | |
| status: | Incomplete → New |
| Seth Arnold (seth-arnold) wrote : | #7 |
Thanks Thomas
| Launchpad Janitor (janitor) wrote : | #8 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in gdm3 (Ubuntu): | |
| status: | New → Confirmed |
| Changed in plymouth (Ubuntu): | |
| status: | New → Confirmed |
| Balint Reczey (rbalint) wrote : | #10 |
It seems I can reproduce the issue in qemu and look at vt1 by stopping gdm3, since the switch to vt2 does not show vt1 even for a moment.
| tags: | added: id-5c51b3a3cb40343530f1abbd |
| description: | updated |
| Norbert (nrbrtx) wrote : | #11 |
Confirmed by https:/
| Robert Anderson (rwa-l) wrote : | #12 |
I'm pretty sure I just encountered this bug, although all I did was issue a shutdown, and very briefly I was able to see several plaintext passwords that had been used to log in across several user accounts. I am on Ubuntu 18.04.2 LTS.
This was a shock for reasons which should be obvious.
| Changed in gdm3 (Ubuntu): | |
| importance: | Undecided → High |
| Changed in plymouth (Ubuntu): | |
| importance: | Undecided → High |
| Brian Murray (brian-murray) wrote : | #13 |
@Robert Anderson - could you please report a new bug using ubuntu-bug plymouth? This will gather information from the system in question that will help us investigate the matter. Thanks in advance!
| Balint Reczey (rbalint) wrote : | #14 |
It looks like systemd is changing the mode (see argument=3) on VT1 on logouts.
#define K_RAW 0x00
#define K_XLATE 0x01
#define K_MEDIUMRAW 0x02
#define K_UNICODE 0x04
#define K_OFF 0x04
#define KDGKBMODE 0x4B44 /* gets current keyboard mode */
#define KDSKBMODE 0x4B45 /* sets current keyboard mode */
test@test-
[sudo] password for test:
5657343 15:21:51.819076315 1 Xorg (1069) > ioctl fd=11(<f>/dev/tty1) request=4B45 argument=4
5657453 15:21:51.820019063 0 systemd-logind (575) > ioctl fd=22(<f>/dev/tty1) request=4B45 argument=3
5753055 15:21:52.771635876 0 systemd-logind (575) > ioctl fd=21(<f>/dev/tty1) request=4B45 argument=4
20723813 15:49:41.368621972 1 systemd (23717) > ioctl fd=3(<f>/dev/tty2) request=4B45 argument=3
22605710 15:53:04.107253025 1 systemd-logind (575) > ioctl fd=23(<f>/dev/tty3) request=4B45 argument=4
22612602 15:53:04.142057934 1 Xorg (24089) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
24077108 15:53:28.705600119 0 Xorg (24089) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
24077278 15:53:28.706353493 1 systemd-logind (575) > ioctl fd=24(<f>/dev/tty3) request=4B45 argument=3
24626343 15:53:58.336589416 0 systemd-logind (575) > ioctl fd=22(<f>/dev/tty1) request=4B45 argument=3
24804326 15:53:59.385872243 0 systemd-logind (575) > ioctl fd=21(<f>/dev/tty1) request=4B45 argument=4
25515114 15:54:12.915072995 1 systemd-logind (575) > ioctl fd=23(<f>/dev/tty3) request=4B45 argument=4
25520504 15:54:12.929480424 1 Xorg (25112) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
26921037 15:54:46.872029874 1 Xorg (25112) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
26921239 15:54:46.872654795 1 systemd-logind (575) > ioctl fd=24(<f>/dev/tty3) request=4B45 argument=3
27104852 15:54:53.870639078 1 systemd-logind (575) > ioctl fd=23(<f>/dev/tty3) request=4B45 argument=4
27112208 15:54:53.894217722 1 Xorg (25697) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
28677455 15:55:44.581119464 0 Xorg (25697) > ioctl fd=11(<f>/dev/tty3) request=4B45 argument=4
28678288 15:55:44.592966138 1 systemd-logind (575) > ioctl fd=24(<f>/dev/tty3) request=4B45 argument=3
| Changed in systemd (Ubuntu): | |
| importance: | Undecided → High |
| assignee: | nobody → Balint Reczey (rbalint) |
| Balint Reczey (rbalint) wrote : | #15 |
Forwarded proposed fix to systemd upstream: https:/
| Changed in systemd (Ubuntu): | |
| status: | New → Confirmed |
| status: | Confirmed → In Progress |
| Changed in gdm3 (Ubuntu): | |
| status: | Confirmed → Invalid |
| Changed in plymouth (Ubuntu): | |
| status: | Confirmed → Invalid |
| description: | updated |
| Seth Arnold (seth-arnold) wrote : | #16 |
Use CVE-2018-20839.
Thanks
| Dan Streetman (ddstreet) wrote : | #17 |
This may have caused a regression upstream, see
https:/
| Dan Streetman (ddstreet) wrote : | #18 |
@rbalint, this is still in eoan-proposed, can you get it pushed out to eoan-updates (or revert it)?
| Dan Streetman (ddstreet) wrote : | #19 |
> can you get it pushed out to eoan-updates (or revert it)?
sorry i meant eoan-release
also, see discussion in #ubuntu-devel, I'll revert this patch in my upload to eoan, so that the regression can be figured out.
| Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package systemd - 240-6ubuntu9
---------------
systemd (240-6ubuntu9) eoan; urgency=medium
* Fix typpo in storage test.
File: debian/
https:/
* Fix bashism
File: debian/
https:/
systemd (240-6ubuntu8) eoan; urgency=medium
* Only restart resolved on changes in dhclient enter hook.
This prevents spurious restarts of resolved on rebounds when
the addresses did not change. (LP: #1805183)
Author: Julian Andres Klode
File: debian/
https:/
* Wait for cryptsetup unit to start, before stopping.
Patch from cascardo. Plus small refactor for readability. (LP: #1814373)
File: debian/
https:/
* Wait for systemctl is-system-running state.
File: debian/
https:/
systemd (240-6ubuntu7) eoan; urgency=medium
* Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
This reverts commit 60407728a1a4531
Files:
- debian/
- debian/
https:/
* Cherrypick missing systemd-stable patches to unbreak wireguard peer endpoints.
Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1825378)
Author: Dan Streetman
Files:
- debian/
- debian/
- debian/
- debian/
https:/
* Remove expected failure from passing test.
Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1829450)
Author: Dan Streetman
File: debian/
https:/
* Fix false negative checking for running jobs after boot.
Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1825997)
Author: Dan Streetman
File: debian/
https:/
* Cherrypick ask-password: prevent buffer ...
| Changed in systemd (Ubuntu): | |
| status: | In Progress → Fix Released |
| Dimitri John Ledkov (xnox) wrote : | #21 |
This is still not fixed.
| Changed in systemd (Ubuntu): | |
| status: | Fix Released → Confirmed |
| Michael Biebl (mbiebl) wrote : | #22 |
Looking at the discussion at https:/
Could users who can reliably reproduce the issue post if they have plymouth installed and if so, which version?
| Michael Biebl (mbiebl) wrote : | #23 |
@rbalint if you can reliably reproduce the issue, it would probably be a good idea if you follow up on that upstream bug tracker
| Dan Streetman (ddstreet) wrote : | #24 |
> Looking at the discussion at https:/
I noticed that, however that points to:
https:/
which was added to plymouth in the bug preceeding this one, bug 1767918
https:/
so, that specific patch doesn't seem to fix it, or at least not entirely...
| Dan Streetman (ddstreet) wrote : | #26 |
added info from previous comment to the upstream freedesktop bug.
| tags: | added: ddstreet |
| Changed in systemd (Ubuntu): | |
| assignee: | Balint Reczey (rbalint) → nobody |
| tags: | removed: ddstreet |
Hello Thomas, can you please report back what version of plymouth you have installed?
dpkg -l plymouth | grep ^ii
Thanks