Bug#903877: Credentials located in gnome-keyring can be extracted easily.

Seong-Joong Kim sungjungk at gmail.com
Fri Jul 13 10:20:08 BST 2018 

Package: gnome-keyring
Version: 3.20.0-3
Severity: normal

Dear Maintainer,

I figure out that login credentials, located in gnome-keyring, can be easily
extracted.

Linux based on Gnome basically uses ‘gnome-keyring’ as their backend to store
login credentials in a secure manner. Specifically, google-chrome browser,
network-manager and gnome-online-accounts use this as a backend solution to
store login credentials.

To use this, authentication is performed together with gnome-keyring as part of
‘pam-gnome-keyring.so’. At this point, it remains unlocked until system is shut
down or logged out. In this state, a simple program that uses ‘Secret Service
API’ call and their ‘D-Bus’ interface can easily retrieve login credentials
from those gnome-keyring without any privilege escalation, listening into the X
events going to another window, or installation an application on target
computer.
(please check PoC source https://github.com/sungjungk/keyring_crack and video
https://youtu.be/Do4E9ZQaPck)

The issue is different from the content shown on the Ubuntu Security FAQ and
GnomeKeyring Wiki [1][2]. It was even said that “PAM session is closed via the
screensaver, all keyrings are locked, and the ‘login’ keyring is unlocked upon
successful authentication to the screensaver”. After trying to crack the
keyring, it was far from what they really thought. It is no different than
plain text file for login credentials somewhere on disk.

To deal with, the root cause of the problem is that ‘Secret Service API’ on
anyone can be easily accessed on DBus API. If access control is enabled, only
well-known? or authorized processes, such as google-chrome, network-manager,
and gnome-online-accounts, will be able to access the login credentials.

DBus originally provides capability that is essential to access control of DBus
API by defining security policy as a form of *.conf file. Currently, various
services based on DBus interface are employing above security policy feature to
perform access control. For example, login/system related functions is
controlled from ‘login1’ and its security policy is described in
“org.freedesktop.login1.conf”. (see
https://github.com/systemd/systemd/blob/master/src/core/org.freedesktop.systemd1.conf)

Likewise, why don’t we try adopting the access control of secret service API
into gnome-keyring environment?

Due to the fact that a process with root privilege can access “.conf” file, an
approved program may only update the target file during installation process

Here is really simple ‘org.freedesktop.secrets.conf’ example.


<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
1.0//EN"
        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>
    <policy context="default">

        <deny receive_sender="*"
                    receive_interface="org.freedesktop.Secret.Item"
                    receive_member="GetSecret"/>



        <!-- allow access to seahorse application (formerly keyring manager)
-->
        <allow receive_sender="org.gnome.seahorse.Application"
                    receive_interface="org.freedesktop.Secret.Item"
                    receive_member="GetSecret"/>

        <!-- allow access to network-manager -->
        <deny receive_sender="org.freedesktop.NetworkManager"
                    receive_interface="org.freedesktop.Secret.Item"
                    receive_member="GetSecret"/>

        <!-- allow access to gnome-online-accounts -->
        <deny receive_sender="org.gnome.OnlineAccounts"
                    receive_interface="org.freedesktop.Secret.Item"
                    receive_member="GetSecret"/>

        ....

    </policy>
</busconfig>
Many Thanks!!

[1] https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact

[2] https://wiki.gnome.org/Projects/GnomeKeyring/SecurityPhilosophy



-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-keyring depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.10.18-1
ii  dbus-x11 [dbus-session-bus]                   1.10.18-1
ii  dconf-gsettings-backend [gsettings-backend]   0.26.0-2+b1
ii  gcr                                           3.20.0-5.1
ii  libc6                                         2.24-11+deb9u1
ii  libcap-ng0                                    0.7.7-3+b1
ii  libcap2-bin                                   1:2.25-1
ii  libgck-1-0                                    3.20.0-5.1
ii  libgcr-base-3-1                               3.20.0-5.1
ii  libgcrypt20                                   1.7.6-2+deb9u3
ii  libglib2.0-0                                  2.50.3-2
ii  p11-kit                                       0.23.3-2
ii  pinentry-gnome3                               1.0.0-2

Versions of packages gnome-keyring recommends:
ii  libpam-gnome-keyring  3.20.0-3

gnome-keyring suggests no packages.

-- no debconf information

More information about the pkg-gnome-maintainers mailing list