Date: Mon, 07 Jan 2013 21:58:49 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: vladz <vladz@...zero.fr> Subject: Re: /dev/ptmx timing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2013 03:23 PM, vladz wrote: > > Hi list, > > I noticed that it was possible to measure inter-keystrokes timing > thanks to the /dev/ptmx character device. Any local user that is > using pseudo-terminal can be targeted. > > As it may also be used to disclose sensible information such as > password length, I was wondering if it should be treat as a > security issue? > > Description + PoC: http://vladz.devzero.fr/013_ptmx-timing.php. > > No sure right now but I think the only way to solve this is to > modify the pts handling at kernel level. Any opinions on that? > > Thanks, vladz. Confirmed, as a normal user I can watch /dev/ptmx for keystroke activity. Please use CVE-2013-0160 for this issue. Also from previous research I have seen: http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf http://www.stanford.edu/~mlustig/SSH.ppt http://www.stanford.edu/~mlustig/ssh_report.pdf /dev/ptmx would be ideal as you'd have no jitter to deal with and you could combine it with "w" and/or "ps" so you could for example correlate a user starting SSH up and then capture the timing of their username (followed by a pause) and then the password (followed by a pause) and so on. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ66eJAAoJEBYNRVNeJnmTevoQAJxHtqI1TbKxzhnmPyJiBEuM 0/MhJ9ZHdo/VQYyHDQT6hR+so0Gk3SDNRV9of8hNBR33CrxAgCW2SH8Cygwx4cs9 XyOW7HHDc5AIvo8CckvOl9zfEzZrdC5cbbqYGOZmLFeSGiAQcN0hwzuuHOYf90ly QHzntWaFP+V8fJ5sD9Zygyscfq7pdui/us6Yr1PuOjjoXMiAOafjzLU3Uk50Cbms RXu3A96QdnJQ2t52YYYa0lCLnA/9hKDR4LBWjrjKK+BXtNFsTYfaG9dMoEcseSx5 mk52wdHqShp8mLwTgW9YamMgSEpR4w2/jTtLsJo868ZK0p/CRsEfDnSTsBS9AZNP ps4fCaqSz6AXydd35P275XRHmR0xV26URf2/8dehuRidgWuE2RVHxGMQy+LEhJg7 1R52IQdtXrvX4irmN/G23W1/AWqc02VD0EVQpUnqDHBXwWQRikXUqjvTUU6Bh0oc lI28sx6JzBIVBHJsoB8ojmQ+vjUz8quUE+AMfqoVCnZp9PxSzEwMT3iTwYuUw/Ul epJJFyvacvkOqj1W4kgqDl2Vjk5PINpnznKzR2+8AggKpJfGM2drOdVk+elWzl5I KcWAiC64AmeuBbNYnuZYr94WQp6/zZ9cqLHX5tRoDbpOT+5vj9EBFTYNPSR/m5Rc VabBXIAJPf5K9EaOuQRt =jNow -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ