|
=======================================================================Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
10/20/2008
Abstract
FireGPG is a Firefox extension that provides a front-end to GPG,
allowing webmail users to conveniently exchange GPG messages from
Firefox.
Unfortunately, the way that FireGPG handles the user's passphrase and
decrypted cleartext is not secure and may result in the compromise of
secure communication or a users's private key.
=======================================================================Description
FireGPG does its encrypt/decrypt/sign/verify operations by shelling out
to a locally installed GPG executable. The problem is that instead of
using stdin/stdout to pass information, it writes everything to disk
and passes the files as arguments.
When a user receives an encrypted email and asks FireGPG to decrypt it,
FireGPG prompts the user for her passphrase and then creates three
temporary files. One for the ciphertext, one for the resulting
cleartext (!), and one for the user's passphrase (!). The user's
passphrase is then written to disk, and the temporary file in which it
resides is passed to the gpg executable as a command-line argument. The
cleartext from the decrypt operation is then written to disk as well,
from where it is subsequently read and displayed to the user. The same
process occurs for emails that are being encrypted and signed. Notably,
in the latter cases the pre-encrypted cleartext is written to disk, as
is the passphrase for the signing key.
Obviously, there are a number of attack vectors here. If an adversary
were to seize the user's disk, they would easily be able to recover the
passphrase used in previous FireGPG operations. In that case, all past
correspondence secured by that key would be compromised. Even if the
user had just changed their passphrase and hadn't used FireGPG since
then, the adversary would be still be able to recover copies of
decrypted and pre-encrypted cleartext emails that touched the disk.
Additionally, as another vector of attack, the temporary files that
FireGPG creates for storing this information are constructed with
predictable filenames. It is possible for someone with an account on
the same machine to exploit the race condition that results at the time
these files are created, such that the output from a decrypt operation
is written to a symlink which points to a file that they own -- thus
eliminating the need for data recovery. There is a working exploit for
this.
=======================================================================Severity
Users who are serious about securing their data and communication
against a threat model that includes others gaining access to their
machines (either through hardware seizure or multiple user accounts)
should change their passphrases and scrub their disks.
========================================================================Affected Versions
All versions of FireGPG previous to 0.6 are vulnerable. Version 0.6 was
released on 10/17/2008 in response to this issue.
- moxie
--
Thoughtcrime: http://www.thoughtcrime.org
Audio Anarchy: http://www.audioanarchy.org
Anarchist Yacht Clubb: http://www.blueanarchy.org