Read this story on The Register

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

Posted in Security, 31st January 2017 03:35 GMT

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

SAP pushes 25 patches and two patch patches

HANA User Self Service isn't meant to give crims self-service, but it can. And you can plug it

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues

KVM plans big boosts to storage and nested virtualization

Project maintainer Paolo Bonzini details open source hypervisor's future directions

Siemens patches one security vuln, leaves folks to block second

LOGO owners on alert

Ansible patches 'own the farm' vulnerability

Just the Facts, sysadmins

Homebrew crypto SNAFU on electrical grid sees GE rush patches

Updated Boffins turned up hard-coded password in ancient controllers

Secure microkernel in a KVM switch offers spy-grade app virtualization

CSIRO and Data61 have a way to get a few air-gapped apps on one screen

Google's PHP API client has XSS vulnerability

Patch promised

WhatsApp blind-sided by booby-trapped photo vulnerability

Same issue in Telegram, says researcher

Google Cloud kicked QEMU to the kerb to harden KVM

Alphabet subsidiary decided hardware emulator that's plagued Xen had to go