[Touch-packages] [Bug 1717490] Re: LightDM keeps plain text login password in memory

Seth Arnold Mon, 04 Dec 2017 15:36:29 -0800

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1717490


Title:
  LightDM keeps plain text login password in memory

Status in Light Display Manager:
  New
Status in lightdm package in Ubuntu:
  New

Bug description:
  The lightdm process keeps the user password in memory, if the lightdm-
  greeter is used. This seems to be the case on Ubuntu up to the recent
  17.04 version. The issue was validated with lightdm  1.22.0-0ubuntu2
  (17.04) and 1.10.6-0ubuntu1 (14.04)

  Example:

  root@victim:~# ps fauxw | grep lightdm
  root       889  0.0  0.2 379344  8436 ?        SLsl 12:43   0:00 
/usr/sbin/lightdm
  root       968  1.3  1.8 379900 72804 tty7     Ssl+ 12:43   0:01  \_ 
/usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 
-nolisten tcp vt7 -novtswitch
  root      1103  0.0  0.1 243564  6724 ?        Sl   12:43   0:00  \_ lightdm 
--session-child 12 19
  root      2074  0.0  0.0  21328   976 pts/0    S+   12:45   0:00              
        \_ grep --color=auto lightdm
  root@victim:~# gcore 1103
  [...]
  Saved corefile core.1103
  root@victim:~# strings core.1103 | grep -A5 -B5 secretpassword
  ttyCH0
  ttyCH1
  #...ttyCH63
  # Moxa Intellio serial
  _pammodutil_getspnam_svbl_2
  secretpassword
  gkr_system_authtok
  -UN*X-FAIL-svbl
  svbl
  1000:1000:svbl,,,
  /home/svbl
  root@victim:~# 

  As far as I can tell it seems that the password is not cleared form
  memory after passing it to PAM. This is not a direct vulnerability or
  breaking a security boundary (root access required to dump the memory)
  but it seems not to be necessary for lightdm to keep the pw in memory.

  A similar issue was reported to gnome-keyring-daemon, where the need
  of keeping the password is a bit more understandable
  (https://bugzilla.gnome.org/show_bug.cgi?id=764014).

  Do you see any reason why LightDM needs to keep the password in
  memory?

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1717490/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1717490] Re: LightDM keeps plain text login password in memory

Reply via email to