LightDM keeps plain text login password in memory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Triaged
|
Medium
|
Unassigned | ||
lightdm (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The lightdm process keeps the user password in memory, if the lightdm-greeter is used. This seems to be the case on Ubuntu up to the recent 17.04 version. The issue was validated with lightdm 1.22.0-0ubuntu2 (17.04) and 1.10.6-0ubuntu1 (14.04)
Example:
root@victim:~# ps fauxw | grep lightdm
root 889 0.0 0.2 379344 8436 ? SLsl 12:43 0:00 /usr/sbin/lightdm
root 968 1.3 1.8 379900 72804 tty7 Ssl+ 12:43 0:01 \_ /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/
root 1103 0.0 0.1 243564 6724 ? Sl 12:43 0:00 \_ lightdm --session-child 12 19
root 2074 0.0 0.0 21328 976 pts/0 S+ 12:45 0:00 \_ grep --color=auto lightdm
root@victim:~# gcore 1103
[...]
Saved corefile core.1103
root@victim:~# strings core.1103 | grep -A5 -B5 secretpassword
ttyCH0
ttyCH1
#...ttyCH63
# Moxa Intellio serial
_pammodutil_
secretpassword
gkr_system_authtok
-UN*X-FAIL-svbl
svbl
1000:1000:svbl,,,
/home/svbl
root@victim:~#
As far as I can tell it seems that the password is not cleared form memory after passing it to PAM. This is not a direct vulnerability or breaking a security boundary (root access required to dump the memory) but it seems not to be necessary for lightdm to keep the pw in memory.
A similar issue was reported to gnome-keyring-
Do you see any reason why LightDM needs to keep the password in memory?
information type: | Private Security → Public Security |
Changed in lightdm: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
Any update on this?