pam-gnome-keyring.so reveals user’s password credential as a plaintext form

Bug #1772919 reported by Seong-Joong Kim on 2018-05-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-keyring (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

When I perform memory dump of session-child process, user’s login credential, including user accounts and their password, is revealed as a plaintext form.

In ‘pam_sm_authenticate’ function, user’s password is stored in the heap memory of ‘pam_handle->data” to perform unlock the keyring in later.

After unlocking the keyring, the pam module does not free/overwrite the memory area though the password is no longer used.

We thus could find user’s login credentials.

This raises concerns over the credential being misused for illegal behavior, such as acquiring user’s session key.

It would be better to clean the heap memory.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gnome-keyring 3.18.3-0ubuntu2
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 23 22:53:12 2018
InstallationDate: Installed on 2018-04-20 (32 days ago)
InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.gnome-keyring-ssh.log: grep: /home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or directory

CVE References

Seong-Joong Kim (sungjungk) wrote :
Marc Deslauriers (mdeslaur) wrote :

Hi!

Thanks for reporting this issue. Could you please file it with the upstream project here:

https://gitlab.gnome.org/GNOME/gnome-keyring/issues

Once you've done that, please add a link to the bug here.

Thanks!

Changed in gnome-keyring (Ubuntu):
status: New → Incomplete
Seong-Joong Kim (sungjungk) wrote :

I reported this issue to the upstream project: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3

This bug has been already fixed the latest version (gnome-keyring 3.28).

Currently, however, this bug has been reproduced from artful to trusty except on bionic only.

Maintainer suggests that it would be better to backport the fix.

However, this backport has a series of library dependency issue on previous Ubuntu version. (please check the following url: https://launchpad.net/~sungjungk/+archive/ubuntu/gnome-keyring)

Furthermore, it looks more like security issue and should release security release/patch.

An attacker can obtain session key/path using this bug, then gnome-keyring that contains a series of credentials easily compromised, just call a couple of secret service api via dbus.

Many thanks!!

information type: Private Security → Public Security
Simon Quigley (tsimonq2) wrote :

Setting to new because they submitted it upstream.

Changed in gnome-keyring (Ubuntu):
status: Incomplete → New
Seong-Joong Kim (sungjungk) wrote :

Please check the attached patch applied on gnome-keyring 3.28.
(see https://bug781486.bugzilla-attachments.gnome.org/attachment.cgi?id=350049)

Changed in gnome-keyring (Ubuntu):
status: New → Fix Released
Changed in gnome-keyring (Ubuntu Trusty):
status: New → Confirmed
Changed in gnome-keyring (Ubuntu Xenial):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 3.10.1-1ubuntu4.4

---------------
gnome-keyring (3.10.1-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: credentials exposed in memory (LP: #1772919)
    - debian/patches/CVE-2018-20781.patch: destroy the password in
      pam_sm_open_session in pam/gkr-pam-module.c.
    - CVE-2018-20781

 -- Marc Deslauriers <email address hidden> Thu, 14 Feb 2019 08:32:24 -0500

Changed in gnome-keyring (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 3.18.3-0ubuntu2.1

---------------
gnome-keyring (3.18.3-0ubuntu2.1) xenial-security; urgency=medium

  * SECURITY UPDATE: credentials exposed in memory (LP: #1772919)
    - debian/patches/CVE-2018-20781.patch: destroy the password in
      pam_sm_open_session in pam/gkr-pam-module.c.
    - CVE-2018-20781

 -- Marc Deslauriers <email address hidden> Thu, 14 Feb 2019 08:26:56 -0500

Changed in gnome-keyring (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers