========================================================================
Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
10/20/2008
Abstract
FireGPG is a Firefox extension that provides a front-end to GPG,
allowing webmail users to conveniently exchange GPG messages from
Firefox.
Unfortunately, the way that FireGPG handles the user's passphrase and
decrypted cleartext is not secure and may result in the compromise of
secure communication or a users's private key.
========================================================================
Description
FireGPG does its encrypt/decrypt/sign/verify operations by shelling out
to a locally installed GPG executable. The problem is that instead of
using stdin/stdout to pass information, it writes everything to disk
and passes the files as arguments.
When a user receives an encrypted email and asks FireGPG to decrypt it,
FireGPG prompts the user for her passphrase and then creates three
temporary files. One for the ciphertext, one for the resulting
cleartext (!), and one for the user's passphrase (!). The user's
passphrase is then written to disk, and the temporary file in which it
resides is passed to the gpg executable as a command-line argument. The
cleartext from the decrypt operation is then written to disk as well,
from where it is subsequently read and displayed to the user. The same
process occurs for emails that are being encrypted and signed. Notably,
in the latter cases the pre-encrypted cleartext is written to disk, as
is the passphrase for the signing key.
Obviously, there are a number of attack vectors here. If an adversary
were to seize the user's disk, they would easily be able to recover the
passphrase used in previous FireGPG operations. In that case, all past
correspondence secured by that key would be compromised. Even if the
user had just changed their passphrase and hadn't used FireGPG since
then, the adversary would be still be able to recover copies of
decrypted and pre-encrypted cleartext emails that touched the disk.
Additionally, as another vector of attack, the temporary files that
FireGPG creates for storing this information are constructed with
predictable filenames. It is possible for someone with an account on
the same machine to exploit the race condition that results at the time
these files are created, such that the output from a decrypt operation
is written to a symlink which points to a file that they own -- thus
eliminating the need for data recovery. There is a working exploit for
this.
========================================================================
Severity
Users who are serious about securing their data and communication
against a threat model that includes others gaining access to their
machines (either through hardware seizure or multiple user accounts)
should change their passphrases and scrub their disks.
=========================================================================
Affected Versions
All versions of FireGPG previous to 0.6 are vulnerable. Version 0.6 was
released on 10/17/2008 in response to this issue.
- moxie
--
Thoughtcrime: http://www.thoughtcrime.org
Audio Anarchy: http://www.audioanarchy.org
Anarchist Yacht Clubb: http://www.blueanarchy.org
{"id": "SECURITYVULNS:DOC:20757", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "FireGPG Passphrase And Cleartext Vulnerability", "description": "========================================================================\r\nVulnerability Affecting FireGPG Passphrase and Cleartext Recovery\r\n10/20/2008\r\n\r\nAbstract\r\n\r\nFireGPG is a Firefox extension that provides a front-end to GPG,\r\nallowing webmail users to conveniently exchange GPG messages from\r\nFirefox.\r\n\r\nUnfortunately, the way that FireGPG handles the user's passphrase and\r\ndecrypted cleartext is not secure and may result in the compromise of\r\nsecure communication or a users's private key.\r\n\r\n========================================================================\r\nDescription\r\n\r\nFireGPG does its encrypt/decrypt/sign/verify operations by shelling out\r\nto a locally installed GPG executable. The problem is that instead of\r\nusing stdin/stdout to pass information, it writes everything to disk\r\nand passes the files as arguments.\r\n\r\nWhen a user receives an encrypted email and asks FireGPG to decrypt it,\r\nFireGPG prompts the user for her passphrase and then creates three\r\ntemporary files. One for the ciphertext, one for the resulting\r\ncleartext (!), and one for the user's passphrase (!). The user's\r\npassphrase is then written to disk, and the temporary file in which it\r\nresides is passed to the gpg executable as a command-line argument. The\r\ncleartext from the decrypt operation is then written to disk as well,\r\nfrom where it is subsequently read and displayed to the user. The same\r\nprocess occurs for emails that are being encrypted and signed. Notably,\r\nin the latter cases the pre-encrypted cleartext is written to disk, as\r\nis the passphrase for the signing key.\r\n\r\nObviously, there are a number of attack vectors here. If an adversary\r\nwere to seize the user's disk, they would easily be able to recover the\r\npassphrase used in previous FireGPG operations. In that case, all past\r\ncorrespondence secured by that key would be compromised. Even if the\r\nuser had just changed their passphrase and hadn't used FireGPG since\r\nthen, the adversary would be still be able to recover copies of\r\ndecrypted and pre-encrypted cleartext emails that touched the disk.\r\n\r\nAdditionally, as another vector of attack, the temporary files that\r\nFireGPG creates for storing this information are constructed with\r\npredictable filenames. It is possible for someone with an account on\r\nthe same machine to exploit the race condition that results at the time\r\nthese files are created, such that the output from a decrypt operation\r\nis written to a symlink which points to a file that they own -- thus\r\neliminating the need for data recovery. There is a working exploit for\r\nthis.\r\n\r\n========================================================================\r\nSeverity\r\n\r\nUsers who are serious about securing their data and communication\r\nagainst a threat model that includes others gaining access to their\r\nmachines (either through hardware seizure or multiple user accounts)\r\nshould change their passphrases and scrub their disks.\r\n\r\n=========================================================================\r\nAffected Versions\r\n\r\nAll versions of FireGPG previous to 0.6 are vulnerable. Version 0.6 was\r\nreleased on 10/17/2008 in response to this issue.\r\n\r\n- moxie\r\n\r\n-- \r\nThoughtcrime: http://www.thoughtcrime.org\r\nAudio Anarchy: http://www.audioanarchy.org\r\nAnarchist Yacht Clubb: http://www.blueanarchy.org", "published": "2008-10-26T00:00:00", "modified": "2008-10-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:28", "viewCount": 3333, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9384"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": -0.4}, "_state": {"dependencies": 1678962117, "score": 1684015796, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "fe6ff756c3175603fa4d8f1e1ba2cca3"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}