Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

44 SHARE

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

Related

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Pair of bug reports show how VM escapes put servers at risk

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Data Center Network Manager bugapalooza with three must-fix flaws

Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

While you're at it, fix Java too

Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago

Interpol: Strong encryption helps online predators. Build backdoors

Multinational cop agency reportedly set to issue statement

Euro ISP club: Sure, weaken encryption. It'll only undermine security for everyone, morons

UK, Oz and US pleas to Facebook given short shrift

The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UI

Plus UCS and other gear need updates

Americans should have strong privacy-protecting encryption ...that the Feds and cops can break, say senators

I don't care if it's mathematically impossible, make it happen nerds!

Microsoft tweaks Windows 10 on Arm64 to play nicely with KVM

Put away the glue and duct tape, and luxuriate in virtualised goodness

Whitepapers

Reduce Redis Enterprise Deployment Cost, Complexity with Intel® Optane™ DC Persistent Memory

Intel and Redis Labs have prepared this kit to help you reduce Redis Enterprise deployments cost and complexity with 2nd Generation Intel® Xeon® Scalable processors and Intel® Optane™ DC persistent memory.

How to Build Your Digital Experience Portfolio

In this session, Michael Facemire, Forrester VP & Principal Analyst at Forrester will cover how a digital experience portfolio strategy can help IT teams deliver new experiences

How to Fortify Your Organization’s Last Layer of Security – Your Employees

People impact security outcomes, much more often than any technology, policy or process.

The Rise of Machine Learning (ML) in Cybersecurity

While many are guarding the front door with yesterday’s signature-based AV solutions, today’s malware walks out the back door with all their data.