Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

44 SHARE

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

Keep Reading

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Pair of bug reports show how VM escapes put servers at risk

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Data Center Network Manager bugapalooza with three must-fix flaws

Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

While you're at it, fix Java too

Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago

Not only is Zoom's strong end-to-end encryption not actually end-to-end, its encryption isn't even that strong

Updated Video calls also routed through China, probe discovers

Interpol: Strong encryption helps online predators. Build backdoors

Multinational cop agency reportedly set to issue statement

Euro ISP club: Sure, weaken encryption. It'll only undermine security for everyone, morons

UK, Oz and US pleas to Facebook given short shrift

The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UI

Plus UCS and other gear need updates

'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

Although exploitation is like shooting a lone fish in a tiny barrel 1,000 miles away

Tech Resources

10 Critical Issues to Cover in Your Vendor Security Questionnaires

In today’s perilous cyber world, it’s crucial for companies to assess and monitor the security of their vendors, suppliers and business partners. Failing to do so can be risky, because hackers frequently steal sensitive enterprise data by targeting the third parties to which enterprises are connected.

2020 CrowdStrike Global Threat Report

The 2020 Global Threat Report is one of the industry's most highly anticipated reports on today's most significant cyber threats and adversaries.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

Leading Your Team to DevOps Maturity

Rob Zuber, CircleCI CTO, brings an inspiring and practical guide to moving your team further up the DevOps maturity ladder, regardless of where you are now.