Light Display Manager

LightDM keeps plain text login password in memory

Bug #1717490 reported by Sven Blumenstein
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Triaged
Medium
Unassigned
lightdm (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The lightdm process keeps the user password in memory, if the lightdm-greeter is used. This seems to be the case on Ubuntu up to the recent 17.04 version. The issue was validated with lightdm 1.22.0-0ubuntu2 (17.04) and 1.10.6-0ubuntu1 (14.04)

Example:

root@victim:~# ps fauxw | grep lightdm
root 889 0.0 0.2 379344 8436 ? SLsl 12:43 0:00 /usr/sbin/lightdm
root 968 1.3 1.8 379900 72804 tty7 Ssl+ 12:43 0:01 \_ /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
root 1103 0.0 0.1 243564 6724 ? Sl 12:43 0:00 \_ lightdm --session-child 12 19
root 2074 0.0 0.0 21328 976 pts/0 S+ 12:45 0:00 \_ grep --color=auto lightdm
root@victim:~# gcore 1103
[...]
Saved corefile core.1103
root@victim:~# strings core.1103 | grep -A5 -B5 secretpassword
ttyCH0
ttyCH1
#...ttyCH63
# Moxa Intellio serial
_pammodutil_getspnam_svbl_2
secretpassword
gkr_system_authtok
-UN*X-FAIL-svbl
svbl
1000:1000:svbl,,,
/home/svbl
root@victim:~#

As far as I can tell it seems that the password is not cleared form memory after passing it to PAM. This is not a direct vulnerability or breaking a security boundary (root access required to dump the memory) but it seems not to be necessary for lightdm to keep the pw in memory.

A similar issue was reported to gnome-keyring-daemon, where the need of keeping the password is a bit more understandable (https://bugzilla.gnome.org/show_bug.cgi?id=764014).

Do you see any reason why LightDM needs to keep the password in memory?

Revision history for this message
Sven Blumenstein (svbl) wrote :

Any update on this?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for subscribing us Sven, this bug was invisible until then.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

BTW, is there a reason to keep this bug private? It doesn't directly allow privilege escalation, it feels like the privacy is unneeded here.

Thanks

Revision history for this message
Sven Blumenstein (svbl) wrote :

That is up to you, I just felt to rather be cautious just in case this has side effects I am not aware of. :)

Revision history for this message
Philipp Kern (pkern) wrote :

I suppose most of the time authentication childs actually exit? There's a lot of indirection in the source because it's a child that communicates with the greeter through another daemon. But AFAICS it expects PAM to free() the strings:

        // callers of this function inside pam will expect to be able to call
        // free() on the strings we give back. So alloc with malloc.
        r->resp = read_string_full (malloc);

And hence there's no scrubbing: It expects PAM to do that. But if we look at the documentation:

       The other arguments of a call to conv() concern the information
       exchanged by module and application. That is to say, num_msg holds the
       length of the array of pointers, msg. After a successful return, the
       pointer resp points to an array of pam_response structures, holding the
       application supplied text. The resp_retcode member of this struct is
       unused and should be set to zero. It is the caller's responsibility to
       release both, this array and the responses themselves, using free(3).
       Note, *resp is a struct pam_response array and not an array of
       pointers.

       The number of responses is always equal to the num_msg conversation
       function argument. This does require that the response array is
       free(3)'d after every call to the conversation function. The index of
       the responses corresponds directly to the prompt index in the
       pam_message array.

Naively I'd say that the callback approach as implemented in lightdm is actually leaking the memory because it calloc()s the responses array in the callback and then passes the pointer to PAM to be done with it. Hence there's also nothing that'd go and scrub the memory afterwards.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Robert Ancell (robert-ancell)
Changed in lightdm:
importance: Undecided → Medium
status: New → Triaged
Marc Deslauriers (mdeslaur)
Changed in lightdm (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.