Pinentry makes it awfully easy to snoop all passwords entered by the user

[Branko Majic]

On Wed, 28 Aug 2013 17:39:56 +0200
Niklas Schnelle <niklas.schnelle at gmail.com> wrote:

> Dear GnuPG Devs,
> 
> first I do understand this is not really a security vulnerability as it is
> rooted in the very design of pinentry still it looks like a major problem
> to me.
> 
> So as I understand it pinentry is used to request a password from the user
> and it then sends that password to the requesting process via a pipe. The
> problem here is that this
> makes it a lot easier to snoop passwords than if gnupg read them in a more
> direct way. To demonstrate this I've created a script [1] that waits for a
> pinentry process to start and than uses strace to get a trace of the
> syscall used to write the password to the pipe. This makes snooping on
> users gpg passwords extremely easy. One simply runs the script and it
> outputs the clear text passwords of all pinentry based password entries
> plus some strace output I was too lazy to remove. Of course an attacker
> needs access to the users account or root access but in many settings this
> is quite easy to achieve (e.g. a trojan or an admin snooping on it's users).
> Now if gnupg read the password itself it would at least be harder to grep
> for it in it's trace and it might get even harder with more secure input
> like what Wayland wants to provide in the future..
> What do you girls/guys think?
> 
> Greetings Niklas Schnelle
> 
> [1] http://pastebin.com/79t1ATzx

I'm not a developer, but, to be honest, if you get user or root access
to a machine, your account (or whole machine in case of root) is
completely compromised anyway, so you can obtain the PIN code in a
multitude of ways - replacing gpg binary with a custom one, for
example.

The only real defense against this is to use (proper) smart-card reader
with built-in PIN pad. When I say "proper", I mean the one where the PIN
code won't leave the reader at all (there's been cases of PIN pads
where the PIN still goes happily to the computer, but they masked it
via driver).

Now, the main question is - does using piping make it in any way
possible for another, non-root, user to obtain the PIN code? If not,
piping is still probably good enough.

Best regards

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20130828/6e26ed59/attachment.sig>