Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator

suso writes "A design flaw in the VTE library was published this week. The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed."

Skynet

[Talderas]

We have a means to strike back at Skynet using this breach in the Terminator systems!

Aterm

[phrostie]

Aterm seems to be ok.
i don't see it listed as using libVTE

http://packages.debian.org/wheezy/aterm

tmpfs

[Sloppy]

You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed.

Once you go tmpfs, why would you ever go back, VTE flaws or not? tmpfs kicks ass.

Then encrypt your swap (random key every boot; you don't even need to know a key to be coerced from you) and you have a safe /tmp.

Re:tmpfs

[Ceriel+Nosforit]

In some countries, it is illegal for you not to divulge the key to properly warranted authorities - even if you don't know what it is.

So what? In my country blasphemy is illegal. I'm not from the Middle East either, I'm a Finn. - Sometimes you just have to, grow a backbone, fuck Jesus in the ass and break the law.

Re:tmpfs

[Rashkae]

*Sigh*, this again. No matter how much memory you have, some of it will end up with accumulated cruft that rarely needs to be read/changed. That ram would be better used freed up (swapped out) and used for cache instead. And 2 GB is nothing compared to a modern Desktop (gnome, Unity, KDE, take your pic.) If you do any kind of multitaking of large applications, you need a minimum of 8GB before you can be safely swap free.

Re:tmpfs

[MrNemesis]

Swap files may grow, but the speed of hard drives doesn't scale along with everything else. Take a good platter-based drive and you're lucky to see reads/writes of 20MB/s assuming little to no HDD contention, especially since swap is typically highly random non-sequential 4k access. RAID that up or us an SSD and you might get 50MB/s. Lets say you have a 512MB swap, as I do, it'll take 10s to read the whole thing. Take a 512GB swap (like one poor server I found at work - someone was following the appallingly stone-aged adage about swap=mem*2) and all of a sudden it's going to take you 3 hours to read back all that virtual memory.

Compare that with some old memory, say some DDR-333, which has a transfer rate of over 2GB/s. Compare with the DDR3 in my workstation, capable of 12GB/s.

Back when we were limited to miniscule amount of memory, lots of swap made sense because memory was horrifically expensive and it didn't take *that* long to read/write to, because the total amount of memory was still fairly small in comparison. But these days you're looking at wait times of 30 minutes or more if you want your entire swap space to be double your memory and to be used by the OS.

Stick with a small swap file and not much crap ever gets written to disc, saving you the horror of having to reset a server for the umpteenth time when it's been grinding on its system disc for five minutes trying to page in the OOM killer.

Not a bug

This is not a bug. This is exactly how /tmp is meant to be used. It is no different from sensitive data from your internet cache being stored on the hard drive.

If your garbage data is sensitive, you should encrypt /tmp, or mount a tmpfs there.

Re:How is this *really* a problem?

[jesseck]

While the system is running, yes, you either need to be root or run an exploit which escalates your privileges so you can see the temp file. When the disk is removed from the system you don't need to be root to read the files. Nor would you need to be root if you booted from a LiveCD.

hello, this occurs with swap too

[WatchMaster]

This is true of vi and many other programs. The exact same issue occurs with the swap partition.

Anyone can solve this problem, just mount /tmp and swap using dm-crypt with a new random password every reboot. The partitions are perfectly good while the computer is booted, but are inintelligible afterwards.

Re:How is this *really* a problem?

[Cley+Faye]

Surely you missed this part of the summary (you didn't even need to read the article):

and can be viewed by anyone who gets ahold of your hard drive

When dealing with real security needs, you might want to know if data only seen through SSH end up on your hard-drive.

Re:How is this *really* a problem?

[fuzzyfuzzyfungus]

If you are using a persistent /tmp, 'root' is anybody who mounts the HDD...

Now, if you want scrollback data to be persistent across reboots, you have to suck it up and dump it to disk somewhere(user home might be a slightly better idea, since support for encrypting your home directory is slightly easier than for encrypting the entire disk); but if that isn't a requirement you probably don't want it touching the disk at all(unless you are in a very memory constrained and swapless environment where getting OOM killed every time something unexpectedly verbose happens would be really annoying).

Re:How is this *really* a problem?

[skids]

It's a particular problem if you A) don't run on entirely encrypted partitions, and B) have your kit stolen or get rooted. Your biggest problem is that you had your kit stolen or got rooted, however, this problem effects the damage control process.

Usually when you have a compromise you assume that only data that is "on the host" is compromised, and any data from other hosts is only compromised if it happened to be viewed after you got rooted (because the attacker could have been keylogging.) With cleartext from encrypted sessions hitting disk, this means that data could be sitting around in unused block in /tmp for years, so once you get rooted you have to assume everything ever done on other machines using a terminal on that machine has been exposed. So if you edited your corporate HQ's VPN PSK 2 years ago, that may still be on your disk.

tmp is less likely to be on an encrypted media than other filesystems, because it is usually expected to be a performance bottleneck.

The good news is that in many cases the data never got flushed back to disk and stayed in the filesystem buffers, but for high security concerns this is little consolation.

Re:Doesn't sound like a flaw to me

[skids]

People in the know know about cli history files. They don't necessarily expect data viewed in a terminal window to hit disk. It may or may not be a "flaw" depending on your opinion as to what appropriate security measures amount to, but it's worth an awareness campaign.

Who doesn't have /tmp as a tmpfs at this point?

[Mysticalfruit]

considering how much /tmp gets used, having it in memory is one of the quickest ways to boost the performance of your system...

Umm

[Viol8]

If someone has physically stolen your computer then the thief being able to read old terminal sessions is the least of your worries.

Re:Umm

[gzipped_tar]

The problem is your terminal history may include data from other hosts, decrypted. Therefore it's not just "your" worries.

Re:Umm

[behdad]

You have to read the bugzilla report carefully to see what this story is about. I'm the developer being [bf]lamed. I offered to find time on a weekend and fix the issue. But the reporter ignored my offer and went ahead to post this on as many places as it could. In the report, he masks that, and instead says I don't consider it a bug. The report is intentionally written misinformed IMO. Which makes me think the true story is that he wanted to get some publicity...

Re:Umm

[Shark]

Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days. Sure, there's no way to make everyone happy and I wouldn't expect anyone to undertake this sort of impossible challenge. This being said, all the scorn must come from somewhere. My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME, not those who don't know what a DE is) do not agree with is very likely to cause quite a bit of backlash... Case in point, GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

Sure, there's a large portion of users who aren't technical whom one might think they are catering to when they remove features considered 'too complex'. The fact is though that these are the people who don't even care what DE they're using, they're not loyal customers, they're just not interested in what you've done so long as it works for them. The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work. Sure you can change all that but only at the cost of those users. They don't take kindly to what pretty much amounts to: Look, the way you used your computer is stupid, we'll force our alternative on you.

So, as the flames rage on and you feel the burn, remember that the GNOME team doused itself in gasoline prior to this.

Re:Umm

[Whitemice]

I'm a long time GNOME user, not a GNOME developer.

Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days

Nope, they rock. When KDE did there big roll-out of KDE4 the lists *EXPLODED* with the wailing and gnashing of teeth. KDE4 arrived stable and that loud minority either adapted or went on the something else. Much the same thing happened with GNOME3 - although less than I expected. I moved to GNOME3 from GNOME2 and within a week it was clear that it was a superior system. But some adaptation was required.

And this particular bug is nonsense. Basically: if someone steals your harddrive they can read your data! Really? Wow, that's a surprise. This has always been true, is true of /home, /var. and everything else unless you encrypt everything.

This being said, all the scorn must come from somewhere.

Yes, it comes from a vocal minority who don't realize all these changes where discussed and made out-in-the-open. Now they enjoy pitching a fit and claiming the design changes are somehow being forced upon them.

My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME,

Well, I'm one that uses GNOME ~9 hours a day. For work.

GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

Eh. Spend time producing ANY kind of content and you'll eventually get someone who thinks they can get themselves some BLOG karma by bashing you.

The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work.

I want to work efficiently. GNOME3 lets me do that... more than GNOME2 did. This is an important distinction from, based on mail list traffic, people who apparently *NEED* to see the real-time weather report for three cities in the panel clock in order to be productive. I think the group primarily 'alienated' by GNOME3 are the "tweakers". They have a computer almost for the sole purpose of tweaking the appearance of the user-interface. One reads much of those posts and says "eh? really? don't you have something to *do*.".

we'll force our alternative on you.

The use of the term "force" in this context is bogus.

remember that the GNOME team doused itself in gasoline prior to this

Nah, they doused themselves with awesome.

Re:Is konsole affected?

[suso]

I haven't had time to look into it completely, but when you have konsole set to unlimited scrollback mode, it will create files in /tmp/kde-username/konsole*.tmp that have your scrollback buffer. It is encoded somehow, but its there. I'm not sure if its encrypted or not. I found out about it because when I talked with the libvte developer (Behdad), he said that he looked at the code in Konsole to see how they did it before writing the implementation in libvte.

How is this is this different to shell history?

[Viol8]

Various shells store command history as a .[shell name]_history file in the users home directory which can be left between sessions. Thats happened for years and root can view that too.

Sure, this may be a bug but frankly its a non issue.

Re:How is this is this different to shell history?

[truedfx]

Aside from that, shell history doesn't contain anything not entered into the shell. Particularly, it doesn't contain anything entered into another remote shell.

Overblown

[AliasMarlowe]

...to have my command history stolen!

That would be in your .bash_history file (or whatever you name it locally).

Really, this is way overblown by calling it a "data breach": it's not as if your data is compromised to a remote attacker. It requires that somebody else has your disk. As we all know, if your hardware is stolen/confiscated/impounded/seized/whatever, only encryption can keep your data safe. Apparently, even that can be circumvented by legal compulsion.

Re:Overblown

[masternerdguy]

The real problem is disk space usage. Eventually that file may grow to millions of terrabytes. This is the memory leak from hell.

Re:Overblown

[behdad]

That's misinformed. Vte creates files in /tmp, and immediately delete them. So, the space will be reclaimed as soon as the terminal tab in question is closed. I know this is how it works, because that's how I wrote it.

Re:Overblown

So on a running system (using LUKS or not), any user that has read-permissions on the block device (members of i.e. group disk) containing /tmp will be able to see all other user's input? how sweet! And why delete them? A process that uses a file to write data, will keep using this space until closed anyway, so you might as well just show they're actually there taking up space? Or is there something in these files that isn't supposed to be easily seen? oh wait.

This is not only a risk for offline filesystems (when the disks are yanked out), but also for running systems with multiple users (i.e. using freenx, x2go, etc). While fully admitting my complete and utter inability to program sh*t, I do feel this is to be considered a grave security issue, not even .

Re:Overblown

[AliasMarlowe]

Yes, temp data is written to /tmp/

Indeed. And everything created in /tmp also has drwx------ permissions (by default on all of my systems). So even with several users simultaneously logged-in, the files of one user in /tmp are not accessible to other logged-in users except those with root privileges, and they can access almost anything anyway, if they want to.

Which is not to say it couldn't be done better, so that it would not be available to others - not even root, and not even if the disk were stolen. Suggestions for this include having /tmp encrypted with unique-per-login key, or using a RAM-only /tmpfs instead. Many additional precautions would be needed to bring security of other user data to comparable levels.

As a "data breach", this is rather overblown.

I'd be a little miffed

[DarkOx]

If I were the author of this library I'd be a little annoyed. The article is written as if the library does something wrong. It does not. It stores data on /tmp, which is there to be used as scratch space. To read the file you have to be the owner or root, which has been true of every process that has written there since before my years. This is perfect correct.

Okay some uses might not expected their terminal emulator to keep temporary files. Yes if your disk is appropriated someone not root in your environment might be able to read it. Which is true of basically any process that writes anything to disk anywhere; even ones that don't. Suppose my system is under enough VM pressure that my good old fashion xterm gets paged out? Why scroll back buffer data, which might even have come from SSH would be right there on my disk! OH! NOS!

If you are dealing with a system that is physically insecure, like a laptop, or machine in a public spot, or information that is so sensitive you'd be more concerned about it being out there than the fact that your hard disk or entire system has gone missing; there is a solution for that. Its called disk encryption! If you use Linux it won't even cost you anything!

Scrollback is for noobs

[trev.norris]

Seriously. Disable scrollback and use screen. You're life will improve.

Re:Is konsole affected?

[zeldor]

It looks like only if the scrollback size is unlimited or at least really huge.
I have 1000 line scroll back and konsole creates no such files in /tmp.

Re:How is this *really* a problem?

[allo]

what about terminal-history in your swap-partition?

Re:Yet another reason to switch to KDE permanently

[behdad]

Anonymous Coward,

You may want to read the end of this comment before jumping to conclusions:

    https://bugzilla.gnome.org/show_bug.cgi?id=664611#c10

Ie. I offered to fix it, before the report was published. And the report is deliberately misinformed to make it look like I said I don't have any intention to fix it. And the report author tweetted [1] "Apparently not a lot of people read Slashdot anymore or RTFA. I've only had 971 hits to the article so far. :-(", which makes me believe that his true intention was to get Slashdot / Reddit / Hacker News bragging rights. Comes handy if you are a sysadmin I guess...

behdad

[1] https://twitter.com/#!/climagic/status/177796284755873793

VT100

[Zoxed]

Yet another reason to use a VT100 hooked up to the serial port !

I fixed it for you

[KeesCook]

I opened this bug back in 2011: https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872 I've also fixed it now. See the patch: https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872/+attachment/2836456/+files/stream-mem.patch

Re:How is this *really* a problem?

[Sipper]

Very much in agreement, but in some instances there are additional features that further mitigate this at least in the long-term.

With cleartext from encrypted sessions hitting disk, this means that data could be sitting around in unused block in /tmp for years, so once you get rooted you have to assume everything ever done on other machines using a terminal on that machine has been exposed.

One piece of good news is that some systems erase /tmp on startup. Debian does this, for one. But also last I knew, other systems don't. Someone had reported about a year ago that Fedora didn't do this, for instance. It came up because the poor guy was using a Debian-based box and had copied his entire home directory into /tmp, rebooted, and expected to copy it back. Oops. That got into discussion of which systems erased /tmp and which didn't.

Additionally I've found that some newer Linux kernels in the 3.x series (at least 3.2) seem to mount /tmp as a tiny tmpfs filesystem, rather than using the root filesystem. [I've checked, and this is not something done in /etc/fstab. There's a tiny chance this might be something done via the initrd image, though.] tmpfs is still backed by swap, however.

Re:How is this *really* a problem?

[Sipper]

One piece of good news is that some systems erase /tmp on startup. Debian does this, for one.

Yes and no... Debian (and most other systems, I might add) only deletes the files/dirs that are still present on the filesystem (i.e. what "find" can find on /tmp). It doesn't try to securely wipe those data blocks or the data blocks that wasn't part of any of those files.

Damn good point. I stand corrected.

The last part is important, cause in the case of libvte, the file is open()'ed, then unlink()'ed right away, thereby no longer showing up on the filesystem even though the file is still in-use. The close() won't happen until the terminal is closed. In other words: As the file is no longer present on the filesystem, it won't be deleted (again) from /tmp and the data blocks won't be wipe. Therefore the old data will still be present on the disk even after a reboot.

I think you're right. :-/

You could probably change the boot script to use a more secure wipe of the files it's deleting, but that still won't help you in this case as the file in question was already delete long before the reboot. A complete wipe of /tmp's device won't be a good idea either, unless you're absolutely sure /tmp is on its own device, i.e. if /tmp is just an ordinary dir on /, you don't want to wipe all of / on boot up.

I suppose one option would be a "secure wipe on free space" via the sfill command from the secure-delete package on the filesystem that /tmp is mounted on.

IIRC at some point certain filesystems had a flag to set for a "secure delete" option, which would fill files erased with zeros when a file link count reached zero, but I don't recall whether any of these were actually implemented.