ecryptfs stores ram contents in plaintext in the container as padding
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eCryptfs |
Fix Released
|
Critical
|
Tyler Hicks | ||
ecryptfs-utils (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Jaunty |
Fix Released
|
Critical
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Critical
|
Tim Gardner | ||
Jaunty |
Fix Released
|
Critical
|
Tim Gardner |
Bug Description
Environment:
Linux flst61nb 2.6.28-gentoo-r2 #4 SMP Tue Mar 17 12:38:43 CET 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz GenuineIntel GNU/Linux
When looking at the contents of the encrypted files I see random content of my System RAM.
Including the content of ~/.ssh/known_hosts, firefox Cache (html page headers) etc.
It seems ecryptfs fails in padding the files, it even seems that the padding is done after encryption.
To reproduce:
# mkdir ecryptfs_base
# sudo mount -t ecryptfs ecryptfs_base ecryptfs_base
# cd ecryptfs_base/
# for ((i=0;i<
# cd ..
# sudo umount ecryptfs_base/
# strings ecryptfs_base/*
Most of the files contain the String _CONSOLE, some contain just filenames, some the contents of random files.
An attacker with access to the underlying filesystem thus can find random data of the system using ecryptfs lying around in plain inside the files.
I also found the contents of /etc/mtab in some of the files...
/tmp/ecryptfs_base /tmp/ecryptfs_base ecryptfs rw,ecryptfs_
so one can find out which key was used to mount the fs
In addition I think there could also be private data of privileged processes run by root in some of the files, so an attacker could use ecryptfs to read (kernel?) memory and might find a password or similar.
CVE References
Changed in ecryptfs: | |
assignee: | nobody → tyhicks |
importance: | Undecided → Critical |
Changed in ecryptfs: | |
status: | New → Confirmed |
Changed in ecryptfs-utils (Ubuntu): | |
importance: | Undecided → Critical |
status: | New → Confirmed |
Changed in ecryptfs: | |
status: | Confirmed → In Progress |
Changed in ecryptfs: | |
status: | In Progress → Fix Committed |
I just took another look at the patch a realized I wasn't freeing the multiple pages allocated with ecryptfs_ get_zeroed_ pages() . I also realized that neither of the ecryptfs_ write_metadata_ to_*() functions were using the crypt_stat, so I removed those function params.
I'm attaching an updated patch that also has a slightly more descriptive commit message.