Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

44 SHARE

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UI

Plus UCS and other gear need updates

Microsoft tweaks Windows 10 on Arm64 to play nicely with KVM

Put away the glue and duct tape, and luxuriate in virtualised goodness

Epyc crypto flaw? AMD emits firmware fix for server processors after Googler smashes RAM encryption algorithms

Updated SEV code cracked to leak secret keys

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed

It's 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump

20 WebKit flaws among latest batch of bug fixes

Git your patches here! GitHub offers to brew automatic pull requests loaded with vuln fixes

Your repo's dependencies need updating to close a hole? We're way ahead of you, pal

Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry

Patch Tuesday Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Upcoming calendar change more than Office can handle

Cisco patches IOS in response to boffins' IKE-busting breakthrough

Switchzilla issues update for authentication bypass flaw

Good news! Only half of Internet of Crap apps fumble encryption

Updated Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired