You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

By Darren Pauli

Posted in Security, 31st January 2017 03:35 GMT

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

SAP pushes 25 patches and two patch patches

HANA User Self Service isn't meant to give crims self-service, but it can. And you can plug it

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

We've fro-Xen page to preserve evidence of NVMe servers and Xen's stay of execution

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

If at first you don't succeed, you're Redmond

Wah, encryption makes policing hard, cries UK's National Crime Agency

Ever since Snowden it's been the default – report

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Now Meltdown patches are making industrial control systems lurch

Automation and SCADA-flingers admit fix has affected products

Ansible patches 'own the farm' vulnerability

Just the Facts, sysadmins

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues

KVM plans big boosts to storage and nested virtualization

Project maintainer Paolo Bonzini details open source hypervisor's future directions