oss-sec mailing list archives
Re: /dev/ptmx timing
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 07 Jan 2013 21:58:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2013 03:23 PM, vladz wrote:
Hi list, I noticed that it was possible to measure inter-keystrokes timing thanks to the /dev/ptmx character device. Any local user that is using pseudo-terminal can be targeted. As it may also be used to disclose sensible information such as password length, I was wondering if it should be treat as a security issue? Description + PoC: http://vladz.devzero.fr/013_ptmx-timing.php. No sure right now but I think the only way to solve this is to modify the pts handling at kernel level. Any opinions on that? Thanks, vladz.
Confirmed, as a normal user I can watch /dev/ptmx for keystroke activity. Please use CVE-2013-0160 for this issue. Also from previous research I have seen: http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf http://www.stanford.edu/~mlustig/SSH.ppt http://www.stanford.edu/~mlustig/ssh_report.pdf /dev/ptmx would be ideal as you'd have no jitter to deal with and you could combine it with "w" and/or "ps" so you could for example correlate a user starting SSH up and then capture the timing of their username (followed by a pause) and then the password (followed by a pause) and so on. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ66eJAAoJEBYNRVNeJnmTevoQAJxHtqI1TbKxzhnmPyJiBEuM 0/MhJ9ZHdo/VQYyHDQT6hR+so0Gk3SDNRV9of8hNBR33CrxAgCW2SH8Cygwx4cs9 XyOW7HHDc5AIvo8CckvOl9zfEzZrdC5cbbqYGOZmLFeSGiAQcN0hwzuuHOYf90ly QHzntWaFP+V8fJ5sD9Zygyscfq7pdui/us6Yr1PuOjjoXMiAOafjzLU3Uk50Cbms RXu3A96QdnJQ2t52YYYa0lCLnA/9hKDR4LBWjrjKK+BXtNFsTYfaG9dMoEcseSx5 mk52wdHqShp8mLwTgW9YamMgSEpR4w2/jTtLsJo868ZK0p/CRsEfDnSTsBS9AZNP ps4fCaqSz6AXydd35P275XRHmR0xV26URf2/8dehuRidgWuE2RVHxGMQy+LEhJg7 1R52IQdtXrvX4irmN/G23W1/AWqc02VD0EVQpUnqDHBXwWQRikXUqjvTUU6Bh0oc lI28sx6JzBIVBHJsoB8ojmQ+vjUz8quUE+AMfqoVCnZp9PxSzEwMT3iTwYuUw/Ul epJJFyvacvkOqj1W4kgqDl2Vjk5PINpnznKzR2+8AggKpJfGM2drOdVk+elWzl5I KcWAiC64AmeuBbNYnuZYr94WQp6/zZ9cqLHX5tRoDbpOT+5vj9EBFTYNPSR/m5Rc VabBXIAJPf5K9EaOuQRt =jNow -----END PGP SIGNATURE-----
Current thread:
- /dev/ptmx timing vladz (Jan 07)
- Re: /dev/ptmx timing adam swanda (Jan 07)
- Re: /dev/ptmx timing Dmitry V. Levin (Jan 07)
- Re: /dev/ptmx timing Vasily Kulikov (Jan 07)
- Re: /dev/ptmx timing Dmitry V. Levin (Jan 07)
- Re: /dev/ptmx timing Kurt Seifried (Jan 07)
- Re: /dev/ptmx timing adam swanda (Jan 07)