Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Jan 2013 21:58:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: vladz <vladz@...zero.fr>
Subject: Re: /dev/ptmx timing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2013 03:23 PM, vladz wrote:
> 
> Hi list,
> 
> I noticed that it was possible to measure inter-keystrokes timing
> thanks to the /dev/ptmx character device.  Any local user that is
> using pseudo-terminal can be targeted.
> 
> As it may also be used to disclose sensible information such as
> password length, I was wondering if it should be treat as a
> security issue?
> 
> Description + PoC: http://vladz.devzero.fr/013_ptmx-timing.php.
> 
> No sure right now but I think the only way to solve this is to
> modify the pts handling at kernel level.  Any opinions on that?
> 
> Thanks, vladz.

Confirmed, as a normal user I can watch /dev/ptmx for keystroke activity.

Please use CVE-2013-0160 for this issue.

Also from previous research I have seen:

http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf
http://www.stanford.edu/~mlustig/SSH.ppt
http://www.stanford.edu/~mlustig/ssh_report.pdf

/dev/ptmx would be ideal as you'd have no jitter to deal with and you
could combine it with "w" and/or "ps" so you could for example
correlate a user starting SSH up and then capture the timing of their
username (followed by a pause) and then the password (followed by a
pause) and so on.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ66eJAAoJEBYNRVNeJnmTevoQAJxHtqI1TbKxzhnmPyJiBEuM
0/MhJ9ZHdo/VQYyHDQT6hR+so0Gk3SDNRV9of8hNBR33CrxAgCW2SH8Cygwx4cs9
XyOW7HHDc5AIvo8CckvOl9zfEzZrdC5cbbqYGOZmLFeSGiAQcN0hwzuuHOYf90ly
QHzntWaFP+V8fJ5sD9Zygyscfq7pdui/us6Yr1PuOjjoXMiAOafjzLU3Uk50Cbms
RXu3A96QdnJQ2t52YYYa0lCLnA/9hKDR4LBWjrjKK+BXtNFsTYfaG9dMoEcseSx5
mk52wdHqShp8mLwTgW9YamMgSEpR4w2/jTtLsJo868ZK0p/CRsEfDnSTsBS9AZNP
ps4fCaqSz6AXydd35P275XRHmR0xV26URf2/8dehuRidgWuE2RVHxGMQy+LEhJg7
1R52IQdtXrvX4irmN/G23W1/AWqc02VD0EVQpUnqDHBXwWQRikXUqjvTUU6Bh0oc
lI28sx6JzBIVBHJsoB8ojmQ+vjUz8quUE+AMfqoVCnZp9PxSzEwMT3iTwYuUw/Ul
epJJFyvacvkOqj1W4kgqDl2Vjk5PINpnznKzR2+8AggKpJfGM2drOdVk+elWzl5I
KcWAiC64AmeuBbNYnuZYr94WQp6/zZ9cqLHX5tRoDbpOT+5vj9EBFTYNPSR/m5Rc
VabBXIAJPf5K9EaOuQRt
=jNow
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ