Ubuntu
gnome-keyring package

pam-gnome-keyring.so reveals user’s password credential as a plaintext form

  1. Trusty (14.04)
  2. Bug #1772919
Bug #1772919 reported by Seong-Joong Kim
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-keyring (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

When I perform memory dump of session-child process, user’s login credential, including user accounts and their password, is revealed as a plaintext form.

In ‘pam_sm_authenticate’ function, user’s password is stored in the heap memory of ‘pam_handle->data” to perform unlock the keyring in later.

After unlocking the keyring, the pam module does not free/overwrite the memory area though the password is no longer used.

We thus could find user’s login credentials.

This raises concerns over the credential being misused for illegal behavior, such as acquiring user’s session key.

It would be better to clean the heap memory.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gnome-keyring 3.18.3-0ubuntu2
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 23 22:53:12 2018
InstallationDate: Installed on 2018-04-20 (32 days ago)
InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.gnome-keyring-ssh.log: grep: /home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or directory

CVE References

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi!

Thanks for reporting this issue. Could you please file it with the upstream project here:

https://gitlab.gnome.org/GNOME/gnome-keyring/issues

Once you've done that, please add a link to the bug here.

Thanks!

Changed in gnome-keyring (Ubuntu):
status: New → Incomplete
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

I reported this issue to the upstream project: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3

This bug has been already fixed the latest version (gnome-keyring 3.28).

Currently, however, this bug has been reproduced from artful to trusty except on bionic only.

Maintainer suggests that it would be better to backport the fix.

However, this backport has a series of library dependency issue on previous Ubuntu version. (please check the following url: https://launchpad.net/~sungjungk/+archive/ubuntu/gnome-keyring)

Furthermore, it looks more like security issue and should release security release/patch.

An attacker can obtain session key/path using this bug, then gnome-keyring that contains a series of credentials easily compromised, just call a couple of secret service api via dbus.

Many thanks!!

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Setting to new because they submitted it upstream.

Changed in gnome-keyring (Ubuntu):
status: Incomplete → New
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Please check the attached patch applied on gnome-keyring 3.28.
(see https://bug781486.bugzilla-attachments.gnome.org/attachment.cgi?id=350049)

Marc Deslauriers (mdeslaur)
Changed in gnome-keyring (Ubuntu):
status: New → Fix Released
Changed in gnome-keyring (Ubuntu Trusty):
status: New → Confirmed
Changed in gnome-keyring (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 3.10.1-1ubuntu4.4

---------------
gnome-keyring (3.10.1-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: credentials exposed in memory (LP: #1772919)
    - debian/patches/CVE-2018-20781.patch: destroy the password in
      pam_sm_open_session in pam/gkr-pam-module.c.
    - CVE-2018-20781

 -- Marc Deslauriers <email address hidden> Thu, 14 Feb 2019 08:32:24 -0500

Changed in gnome-keyring (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 3.18.3-0ubuntu2.1

---------------
gnome-keyring (3.18.3-0ubuntu2.1) xenial-security; urgency=medium

  * SECURITY UPDATE: credentials exposed in memory (LP: #1772919)
    - debian/patches/CVE-2018-20781.patch: destroy the password in
      pam_sm_open_session in pam/gkr-pam-module.c.
    - CVE-2018-20781

 -- Marc Deslauriers <email address hidden> Thu, 14 Feb 2019 08:26:56 -0500

Changed in gnome-keyring (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.