Closed Bug 286703 Opened 20 years ago Closed 19 years ago

Password found in core file

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 298539

People

(Reporter: a_rvind_j, Assigned: dveditz)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20041202 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20041202 Firefox/1.0

The core file generated by thunderbird contains the password in cleat text.

Reproducible: Always

Steps to Reproduce:
1.Really doesnt matter what causes the core dump
2.
3.

Actual Results:  
Search the core file for the password and it can be found

Expected Results:  
I understand, that the app needs to remember the password to present to the mail
server for periodic fetches. That still does not justify holding the password in
cleartext for the entire duration of the session.
Here's how I think it could be done better.
1)When thunderbird installs for the first time, let it generate a random token
and save it with the preferences on the disk.
2)The actual executable can load the encrypted key at start of each instance.
When it wishes to present the credentials to the server, let it read the key
from the disk, present the clear text password and immediately do a bzero/memset
of the variables holding the password and the key retirevied from the disk. Note
that merely assigning a new value in the case of a string class may not do the
trick. It is very essential to clear the memory location holding the password,
not just free it.

This way, the duration for which the cleartext password is held in the memory is
greatly reduced and most core dumps wont have the problem.

The concerns are
* the core file is readable by othe rusers of the machine
* users may send their core file to others for debuggin without realizing that
they are sharing their password
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Whiteboard: [sg:fix]
Why is the core file visible to other users of the machine?  That sounds like a
serious security hole in Linux or your configuration that could be exploited to
do all kinds of things, not just read Thunderbird passwords.

This bug would be very hard to fix, because the password probably appears in
variables and buffers, and wouldn't have much benefit.  Fixing this bug would
also hurt performance.

See also bug 298539.
I wrote a c++ program designed to crash (cout << (char*)2;) and let it crash on
gradlab.ucsd.edu.  The core file created had the following permissions:

-rw-------   1 jruderma grad       104992 Jul 28 12:11 core

If your core files can be accessed by someone who wouldn't be able to access the
program's memory directly, your operating system (FreeBSD) or configuration has
a serious security hole.

*** This bug has been marked as a duplicate of 298539 ***
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:fix]
You need to log in before you can comment on or make changes to this bug.