This bug was fixed in the package ecryptfs-utils - 73-0ubuntu1
---------------
ecryptfs-utils (73-0ubuntu1) jaunty; urgency=low
[ Dustin Kirkland ]
Userspace fixes for LP: #345544, CVE-2009-0787
* src/utils/ecryptfs-rewrite-file: new script, to rewrite a file,
forcing it to be re-encrypted when written to disk
* doc/manpage/ecryptfs-rewrite-file.1: documentation added
Unrelated fixes in this release
* src/utils/ecryptfs-mount-private, src/utils/ecryptfs-setup-private,
src/utils/ecryptfs-setup-swap: use head/line for prompting and reading
input
[ Michal Hlavinka ]
* ecryptfs-setup-private: don't fail with syntax error when kernel
module not loaded
* *.desktop: make desktop files standards compliant
* umount.ecryptfs: don't sigsegv when arguments are missing
-- Dustin Kirkland <[email protected]> Fri, 20 Mar 2009 17:26:13
-0500
** Changed in: ecryptfs-utils (Ubuntu Jaunty)
Status: In Progress => Fix Released
--
ecryptfs stores ram contents in plaintext in the container as padding
https://bugs.launchpad.net/bugs/345544
You received this bug notification because you are a member of eCryptfs,
which is a direct subscriber.
Status in eCryptfs - Enterprise Cryptographic Filesystem: In Progress
Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in “linux” source package in Ubuntu: Fix Released
Status in ecryptfs-utils in Ubuntu Jaunty: Fix Released
Status in linux in Ubuntu Jaunty: Fix Released
Bug description:
Environment:
Linux flst61nb 2.6.28-gentoo-r2 #4 SMP Tue Mar 17 12:38:43 CET 2009 x86_64
Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz GenuineIntel GNU/Linux
When looking at the contents of the encrypted files I see random content of my
System RAM.
Including the content of ~/.ssh/known_hosts, firefox Cache (html page headers)
etc.
It seems ecryptfs fails in padding the files, it even seems that the padding is
done after encryption.
To reproduce:
# mkdir ecryptfs_base
# sudo mount -t ecryptfs ecryptfs_base ecryptfs_base
# cd ecryptfs_base/
# for ((i=0;i<10000;i++)); do dd if=/dev/zero of=$(date +"%s-$i") bs=1 count=1
>/dev/null 2>&1; done
# cd ..
# sudo umount ecryptfs_base/
# strings ecryptfs_base/*
Most of the files contain the String _CONSOLE, some contain just filenames,
some the contents of random files.
An attacker with access to the underlying filesystem thus can find random data
of the system using ecryptfs lying around in plain inside the files.
I also found the contents of /etc/mtab in some of the files...
/tmp/ecryptfs_base /tmp/ecryptfs_base ecryptfs
rw,ecryptfs_sig=90fe7cccfdb1a0ba,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 0 0
so one can find out which key was used to mount the fs
In addition I think there could also be private data of privileged processes
run by root in some of the files, so an attacker could use ecryptfs to read
(kernel?) memory and might find a password or similar.
_______________________________________________
Mailing list: https://launchpad.net/~ecryptfs
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ecryptfs
More help : https://help.launchpad.net/ListHelp
