Wait, are we talking about the potential for an attacker to:

1. Load a Trojan/Virus on their PC that allows remote access
2. ...Who the $^#% cares at that point?!

Once security has been breached at point #1, it doesn't matter.  The PC is 
already impacted.  Re-format, restart, reload, and change all of your security 
information, passwords, keys, etc.

The private key is already vulnerable.  Hell, -memory- is already vulnerable.  
Everything is in plaintext if you find the right memory location.  There's no 
way to fix that, especially if the attacker has admin/root access.  Everything 
is compromised.  There's no point in trying to lock down the app for that sort 
of critical security failure.

"The best way to protect a server is to unplug the network cable, put it in a 
lock box, throw away the key, and bury it.  Even then, there's still a small 
chance it might be compromised."

Brendan Byrd <byr...@insightcom.com>
System Integration Analyst (NOC Web Developer)

-----Original Message-----
From: otr-dev-boun...@lists.cypherpunks.ca 
[mailto:otr-dev-boun...@lists.cypherpunks.ca] On Behalf Of Dimitris Glynos
Sent: Saturday, February 25, 2012 11:20 AM
To: de...@pidgin.im
Cc: otr-dev@lists.cypherpunks.ca
Subject: Re: [OTR-dev] private messages on dbus

On 12/21/2011 02:49 AM, Dimitris Glynos wrote:
> On 12/21/2011 01:11 AM, k...@hxbc.us wrote:
>> On Tue, 20 Dec 2011 12:02:38 +0200, Dimitris Glynos wrote:
>>> Hello all,
>>> I was wondering if pidgin could allow for certain chat types to be 
>>> flagged as private and not transmit these over dbus.
>>> I don't know how much dbus is hardwired to pidgin (is it used also 
>>> for capturing the messages displayed on the pidgin GUI?) but the 
>>> fact that a local attacker can access OTR plaintext from a dbus 
>>> session monitor is quite unnerving.
>> a local attacker can already ptrace the pidgin process and do pretty 
>> much anything.
> Yes, the word 'local' is used incorrectly in the original post.
> Consider a remote attacker that exploits some app running in the same 
> desktop session as pidgin. It is trivial to fork-exec a dbus session 
> monitor from there and retrieve the sensitive info.
> Now, regarding ptrace although it was generally possible in the past 
> to attach to processes of the same user, this has been restricted 
> somewhat in modern distro's. Specifically, distro's like Ubuntu allow 
> (non-root) ptrace only to processes that are children of the 
> ptrace-caller.
> For more info on this, have a look here:
> https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Pr
> otection
> Hope this clarifies things a bit,

Coming back to this after a while. You may now find an advisory and a 
proof-of-concept script for the DBUS info leak here:


This issue has received CVE-2012-1257.

It would be good to see this issue addressed in the next release of pidgin and 
pidgin-otr. Most users would be surprised to find that their private chatting 
is somehow accessible to other apps..

Best regards,

http://census-labs.com -- IT security research, development and services 
OTR-dev mailing list
OTR-dev mailing list

Reply via email to