information leak in vga console scrollback buffer

information leak in vga console scrollback buffer

[Egmont Koblinger]

Hi,

Using the standard vga console, it is easily possible to read some random
pieces of texts that were scrolled out a long time ago (often you can see
your boot messages or similar stuff even after switcing to another
console or even to X. All you need is a local user access to the console.

2.4 and 2.6 series are both affected, maybe older ones too.

What to do to face the bug in 10 seconds:
- switch to a vga text console
- start "less somebigtextfile" where somebigtextfile means longer than a
  screenful. /etc/services might be a good choice.
- press Down arrow one or more times
- switch to another console or X, optionally do whatever you want to do
- switch back to "less"
- (Shift+PageUp now doesn't do anything as it is supposed to)
- press the Up arrow
- press Shift+PageUp. Voila! A long buffer of texts that you forgot a long
  time ago... And, interesting, when scrolling backwards the columns are
  shifted with a certain amount, but when scrolling back to the bottom of
  the page with Shift+PageDown the columns are ok.

It seems to me that the bug is triggered when an application tries to
scroll the content of the terminal downwards (i.e. the unusual direction),
and looking at the source, I guess something is wrong around the handling
of the variable "vga_rolled_over" and its fellows in
drivers/video/console/vgacon.c. But I don't yet fully understand the code,
I only have a rough feeling how it works, so unfortunately I'm far from
creating a fix.

I haven't tested it with framebuffer but I guess that one is unaffected.

I guess this is a serious privacy hole since I've seen dozens of people
hitting Alt+F1 Alt+F2 or something similar before they leave the machine
just to make sure that the scrollback buffers are emptied. But due to this
bug it might be possible for others to read some of their scrolled out
data, mail etc...



bye,

Egmont

Re: information leak in vga console scrollback buffer

[Chris Wedgwood]

On Sat, Jun 12, 2004 at 10:01:43PM +0200, Egmont Koblinger wrote:

> Using the standard vga console, it is easily possible to read some
> random pieces of texts that were scrolled out a long time ago (often
> you can see your boot messages or similar stuff even after switcing
> to another console or even to X. All you need is a local user access
> to the console.

Feature not bug.



  --cw

Re: information leak in vga console scrollback buffer

[Koblinger Egmont]

On Sat, 12 Jun 2004, Chris Wedgwood wrote:

> > Using the standard vga console, it is easily possible to read some
> > random pieces of texts that were scrolled out a long time ago (often
>
> Feature not bug.

Rationale? (At least an rtfm-like pointer to that?)

Or are you just kidding? :-)


-- 
Egmont

Re: information leak in vga console scrollback buffer

[Chris Wedgwood]

On Sat, Jun 12, 2004 at 10:54:43PM +0200, Koblinger Egmont wrote:

> Rationale? (At least an rtfm-like pointer to that?)

Maybe I didn't full understand you.  Generally I find it desirable to
be able to read things that scrolled off the screen a long time ago.
It's very useful for unattended machines if I need to 'look' back.

I take it you're talking about something beyond that?


   --cw

Re: information leak in vga console scrollback buffer

[Koblinger Egmont]

On Sat, 12 Jun 2004, Chris Wedgwood wrote:

> > Rationale? (At least an rtfm-like pointer to that?)
>
> Maybe I didn't full understand you.  Generally I find it desirable to
> be able to read things that scrolled off the screen a long time ago.
> It's very useful for unattended machines if I need to 'look' back.

Generally console's scrollback buffer disappears as soon as you switch to
another console.

It'd be a really nice idea if all the consoles had a configurable amount
of scrollback buffer which is always remembered. IMHO with todays machines
having a scrollback buffer of 1000 lines for 6 or a little bit more
consoles (at most 63 IIRC) is affordable as well as the processor time
needed to copy the data from/to vga/normal memory on each console switch
and at every Nth Shift+PageUp (no matter what N is). But this is a whole
different story.

What I'm talking about is: normally after people switch away from a
console they assume that the scrollback buffer is no longer available
since this is the behavior they experience normally. E.g. Z does a 'cat
my-long-private-file' and then logs out. Then even if getty clears the
screen, one can press Shift+PageUp to go back and read parts of this file.
Z is about to leave the computer but don't want others to be able to
scroll back with Shift+PageUp. So switches console (Alt+Fx) and the
scrollback buffer is gone. He is happy. But shouldn't be.

With the trick I described it is possible to bring back some random parts
of previous texts, often some garbage with stupid flashing characters, but
maybe parts of Z's my-long-private-file. The behavior seems to be random
to me, uncontrollable by the user (I see no way to force private data to
be cleared from the vga buffer) and clearly not intentional.

Please try what I wrote, I'm sure that you misunderstood me (I'm trying to
write as clear as I can but I'm not native English speaker and not even
good in English, so it might be that my bugreport is a little bit hard to
understand). I'm sure not talking about a feature, nor am I a Linux newbie
who has just seen Shift+PageUp a few days ago for the first time (even
though I'm very far from being a kernel hacker ;-))



-- 
Egmont

Re: information leak in vga console scrollback buffer

[Kalin KOZHUHAROV]

Koblinger Egmont wrote:
> On Sat, 12 Jun 2004, Chris Wedgwood wrote:
> 
> 
>>>Rationale? (At least an rtfm-like pointer to that?)
>>
>>Maybe I didn't full understand you.  Generally I find it desirable to
>>be able to read things that scrolled off the screen a long time ago.
>>It's very useful for unattended machines if I need to 'look' back.
> 
> 
> Generally console's scrollback buffer disappears as soon as you switch to
> another console.
> 
> It'd be a really nice idea if all the consoles had a configurable amount
> of scrollback buffer which is always remembered. IMHO with todays machines
> having a scrollback buffer of 1000 lines for 6 or a little bit more
> consoles (at most 63 IIRC) is affordable as well as the processor time
> needed to copy the data from/to vga/normal memory on each console switch
> and at every Nth Shift+PageUp (no matter what N is). But this is a whole
> different story.
> 
> What I'm talking about is: normally after people switch away from a
> console they assume that the scrollback buffer is no longer available
> since this is the behavior they experience normally. E.g. Z does a 'cat
> my-long-private-file' and then logs out. Then even if getty clears the
> screen, one can press Shift+PageUp to go back and read parts of this file.
> Z is about to leave the computer but don't want others to be able to
> scroll back with Shift+PageUp. So switches console (Alt+Fx) and the
> scrollback buffer is gone. He is happy. But shouldn't be.
> 
> With the trick I described it is possible to bring back some random parts
> of previous texts, often some garbage with stupid flashing characters, but
> maybe parts of Z's my-long-private-file. The behavior seems to be random
> to me, uncontrollable by the user (I see no way to force private data to
> be cleared from the vga buffer) and clearly not intentional.
> 
> Please try what I wrote, I'm sure that you misunderstood me (I'm trying to
> write as clear as I can but I'm not native English speaker and not even
> good in English, so it might be that my bugreport is a little bit hard to
> understand). I'm sure not talking about a feature, nor am I a Linux newbie
> who has just seen Shift+PageUp a few days ago for the first time (even
> though I'm very far from being a kernel hacker ;-))
> 
OK, I think I got what you are trying to point out.
To reproduce:
1. login to a (vga) console.
2. less /etc/services; press space t oscroll a few screens
3. logout
4. login again on the same console (possibly as a different user)
5. less /etc/resolv.conf
6. press UpArrow, then Shift+PgUp

What is expected:
screen should not scroll past your file.

What happens:
You can view the previous text (from /etc/services)!!!

So the point is that this buffer is persistend across logout/login, which is a security bug.
And I guess LKML is not the place for it, logout should clear the buffer IMHO.

BTW, using agetty here.

Kalin.

-- 
||///_ o  *****************************
||//'_/>     WWW: http://ThinRope.net/
|||\/<" 
|||\\ ' 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Re: information leak in vga console scrollback buffer

[David Lang]

no, that isn't what he's talking about.

the console scrollback has never had any concept of login/logout so what 
you did is per spec and is a feature

if you switch to a different console between steps 3 and 4 and then switch 
back you will see what Koblinger is talking about.

David Lang


On Sun, 13 Jun 2004, Kalin KOZHUHAROV wrote:

> Date: Sun, 13 Jun 2004 11:48:52 +0900
> From: Kalin KOZHUHAROV <kalin@ThinRope.net>
> To: Koblinger Egmont <egmont@uhulinux.hu>
> Cc: LKML <linux-kernel@vger.kernel.org>
> Subject: Re: information leak in vga console scrollback buffer
> 
> Koblinger Egmont wrote:
>> On Sat, 12 Jun 2004, Chris Wedgwood wrote:
>> 
>> 
>>>> Rationale? (At least an rtfm-like pointer to that?)
>>> 
>>> Maybe I didn't full understand you.  Generally I find it desirable to
>>> be able to read things that scrolled off the screen a long time ago.
>>> It's very useful for unattended machines if I need to 'look' back.
>> 
>> 
>> Generally console's scrollback buffer disappears as soon as you switch to
>> another console.
>> 
>> It'd be a really nice idea if all the consoles had a configurable amount
>> of scrollback buffer which is always remembered. IMHO with todays machines
>> having a scrollback buffer of 1000 lines for 6 or a little bit more
>> consoles (at most 63 IIRC) is affordable as well as the processor time
>> needed to copy the data from/to vga/normal memory on each console switch
>> and at every Nth Shift+PageUp (no matter what N is). But this is a whole
>> different story.
>> 
>> What I'm talking about is: normally after people switch away from a
>> console they assume that the scrollback buffer is no longer available
>> since this is the behavior they experience normally. E.g. Z does a 'cat
>> my-long-private-file' and then logs out. Then even if getty clears the
>> screen, one can press Shift+PageUp to go back and read parts of this file.
>> Z is about to leave the computer but don't want others to be able to
>> scroll back with Shift+PageUp. So switches console (Alt+Fx) and the
>> scrollback buffer is gone. He is happy. But shouldn't be.
>> 
>> With the trick I described it is possible to bring back some random parts
>> of previous texts, often some garbage with stupid flashing characters, but
>> maybe parts of Z's my-long-private-file. The behavior seems to be random
>> to me, uncontrollable by the user (I see no way to force private data to
>> be cleared from the vga buffer) and clearly not intentional.
>> 
>> Please try what I wrote, I'm sure that you misunderstood me (I'm trying to
>> write as clear as I can but I'm not native English speaker and not even
>> good in English, so it might be that my bugreport is a little bit hard to
>> understand). I'm sure not talking about a feature, nor am I a Linux newbie
>> who has just seen Shift+PageUp a few days ago for the first time (even
>> though I'm very far from being a kernel hacker ;-))
>> 
> OK, I think I got what you are trying to point out.
> To reproduce:
> 1. login to a (vga) console.
> 2. less /etc/services; press space t oscroll a few screens
> 3. logout
> 4. login again on the same console (possibly as a different user)
> 5. less /etc/resolv.conf
> 6. press UpArrow, then Shift+PgUp
>
> What is expected:
> screen should not scroll past your file.
>
> What happens:
> You can view the previous text (from /etc/services)!!!
>
> So the point is that this buffer is persistend across logout/login, which is 
> a security bug.
> And I guess LKML is not the place for it, logout should clear the buffer 
> IMHO.
>
> BTW, using agetty here.
>
> Kalin.
>
> -- 
> ||///_ o  *****************************
> ||//'_/>     WWW: http://ThinRope.net/
> |||\/<" |||\\ ' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Re: information leak in vga console scrollback buffer

[Kalin KOZHUHAROV]

Kalin KOZHUHAROV wrote:
> Koblinger Egmont wrote:
> 
>> On Sat, 12 Jun 2004, Chris Wedgwood wrote:
>>
>>
>>>> Rationale? (At least an rtfm-like pointer to that?)
>>>
>>>
>>> Maybe I didn't full understand you.  Generally I find it desirable to
>>> be able to read things that scrolled off the screen a long time ago.
>>> It's very useful for unattended machines if I need to 'look' back.
>>
>>
>>
>> Generally console's scrollback buffer disappears as soon as you switch to
>> another console.
>>
>> It'd be a really nice idea if all the consoles had a configurable amount
>> of scrollback buffer which is always remembered. IMHO with todays 
>> machines
>> having a scrollback buffer of 1000 lines for 6 or a little bit more
>> consoles (at most 63 IIRC) is affordable as well as the processor time
>> needed to copy the data from/to vga/normal memory on each console switch
>> and at every Nth Shift+PageUp (no matter what N is). But this is a whole
>> different story.
>>
>> What I'm talking about is: normally after people switch away from a
>> console they assume that the scrollback buffer is no longer available
>> since this is the behavior they experience normally. E.g. Z does a 'cat
>> my-long-private-file' and then logs out. Then even if getty clears the
>> screen, one can press Shift+PageUp to go back and read parts of this 
>> file.
>> Z is about to leave the computer but don't want others to be able to
>> scroll back with Shift+PageUp. So switches console (Alt+Fx) and the
>> scrollback buffer is gone. He is happy. But shouldn't be.
>>
>> With the trick I described it is possible to bring back some random parts
>> of previous texts, often some garbage with stupid flashing characters, 
>> but
>> maybe parts of Z's my-long-private-file. The behavior seems to be random
>> to me, uncontrollable by the user (I see no way to force private data to
>> be cleared from the vga buffer) and clearly not intentional.
>>
>> Please try what I wrote, I'm sure that you misunderstood me (I'm 
>> trying to
>> write as clear as I can but I'm not native English speaker and not even
>> good in English, so it might be that my bugreport is a little bit hard to
>> understand). I'm sure not talking about a feature, nor am I a Linux 
>> newbie
>> who has just seen Shift+PageUp a few days ago for the first time (even
>> though I'm very far from being a kernel hacker ;-))
>>
> OK, I think I got what you are trying to point out.
> To reproduce:
> 1. login to a (vga) console.
> 2. less /etc/services; press space t oscroll a few screens
> 3. logout
> 4. login again on the same console (possibly as a different user)
> 5. less /etc/resolv.conf
> 6. press UpArrow, then Shift+PgUp
> 
> What is expected:
> screen should not scroll past your file.
> 
> What happens:
> You can view the previous text (from /etc/services)!!!
> 
> So the point is that this buffer is persistend across logout/login, 
> which is a security bug.
> And I guess LKML is not the place for it, logout should clear the buffer 
> IMHO.
> 
> BTW, using agetty here.
> 
> Kalin.
> 
Ok, I changed agetty to mingetty (I was long waiting to do that).
However this didn't change things.
Now, playing with switching VT, however, the buffer was cleared!

So, I guess this is agetty problem then...

Also for point 2 you can do with:
2. cat /etc/services

When I logout a given box from the console, I repetedly do Alt+Left to check if there are some VT left logged in and thus I clear all the buffers as a side effect (now with mingetty).

Kalin.

-- 
||///_ o  *****************************
||//'_/>     WWW: http://ThinRope.net/
|||\/<" 
|||\\ ' 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Re: information leak in vga console scrollback buffer

[Koblinger Egmont]

On Sun, 13 Jun 2004, Kalin KOZHUHAROV wrote:

> OK, I think I got what you are trying to point out.
> To reproduce:
> 1. login to a (vga) console.
> 2. less /etc/services; press space t oscroll a few screens
> 3. logout
> 4. login again on the same console (possibly as a different user)
> 5. less /etc/resolv.conf
> 6. press UpArrow, then Shift+PgUp
>
> What is expected:
> screen should not scroll past your file.
>
> What happens:
> You can view the previous text (from /etc/services)!!!

Here you didn't clear the scrollback buffer. Maybe you (or getty) executed
a clear or a terminal reset but that only affects the visible part and not
the scrollback buffer. There's absolutely no problem so far since everyone
knows that the scrollback buffer only disappears when you switch to a
different console.

My problem is that with a really-not-trivial-command-and-key-combination
you can possibly see /etc/services (in your example) even _after_ you've
switched to a different console and you are certain that the scrollback
buffer is no longer available.

And then what if it's not /etc/services but some private data of yours?
Maybe other users can later access it. There's no way you can protect
yourself against it. And you live in a false belief that your private data
is scrolled out forever.

Please forget your own test case. Repeat _exactly_ those steps _I_
described in my original post. Then you'll understand what I'm talking
about.

You sure won't understand my problem if you believe that I'm wrong and
want to convience me with your own interpretation of my words and your own
(completely different) test case. Please stick to exactly what I reported.



-- 
Egmont

Re: information leak in vga console scrollback buffer

[Kalin KOZHUHAROV]

Koblinger Egmont wrote:
> On Sun, 13 Jun 2004, Kalin KOZHUHAROV wrote:
> 
> 
>> OK, I think I got what you are trying to point out. To reproduce: 
>> 1. login to a (vga) console.
>> 2. less /etc/services; press space to scroll a few screens
>> 3. logout
>> 4. login again on the same console (possibly as a different user)
>> 5. less /etc/resolv.conf
>> 6. press Up, then Shift+PgUp
>> 
>> What is expected: screen should not scroll past your file.
>> 
>> What happens: You can view the previous text (from
>> /etc/services)!!!
> 
> 
> Here you didn't clear the scrollback buffer. Maybe you (or getty)
> executed a clear or a terminal reset but that only affects the
> visible part and not the scrollback buffer. There's absolutely no
> problem so far since everyone knows that the scrollback buffer only
> disappears when you switch to a different console.

Well, I didn't know obviously, now I know.

> My problem is that with a
> really-not-trivial-command-and-key-combination you can possibly see
> /etc/services (in your example) even _after_ you've switched to a
> different console and you are certain that the scrollback buffer is
> no longer available.
> 
> And then what if it's not /etc/services but some private data of
> yours? Maybe other users can later access it. There's no way you can
> protect yourself against it. And you live in a false belief that your
> private data is scrolled out forever.
> 
> Please forget your own test case. Repeat _exactly_ those steps _I_ 
> described in my original post. Then you'll understand what I'm
> talking about.
I tried at first...

Now I did it again:
1. Login on VT2
2. less /etc/services
3. switch to X (VT8 here) and do something
4. switch back to VT2
5. press Shift+PgUp
6. press Up, then press several times Shift+PgUp

What is expected:
screen should not scroll past the beginnign of /etc/services.

What happens:
I saw a bunch of garbage plus pieces of text (/etc/shadow form previous tests and so on), this is a security flaw, NOT feature.

> You sure won't understand my problem if you believe that I'm wrong
> and want to convience me with your own interpretation of my words and
> your own (completely different) test case. Please stick to exactly
> what I reported.
No, I thought you were right, I was just trying to produce a simple testcase :-(

What I was trying ot prove with my testcase is that
a) if you are using mingetty
AND
b) you switch VT after logout (pressing Alt+Right a few times)
the above mentioned scroll-back flow is not observed.

Ok, after tons of new tries, I reproduced it...

I was thinking that every VT has its own scrollback buffer and you are supposed to see what has been on a given VT.
Now I see that you can see things that have been printed on _other_ VTs :-)

I confirm the bug.

There is no connection with {a,min}getty it seems.


Kalin.

-- 
||///_ o  *****************************
||//'_/>     WWW: http://ThinRope.net/
|||\/<" 
|||\\ ' 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Re: information leak in vga console scrollback buffer

[Koblinger Egmont]

On Sun, 13 Jun 2004, Kalin KOZHUHAROV wrote:

> What happens:
> I saw a bunch of garbage plus pieces of text (/etc/shadow form previous
> tests and so on), this is a security flaw, NOT feature.

Well, this is what I was talking about :-)))

There's only one question left: who's willing and able to fix it?


-- 
Egmont

Re: information leak in vga console scrollback buffer

[Pavel Machek]

Hi!

> > Using the standard vga console, it is easily possible to read some
> > random pieces of texts that were scrolled out a long time ago (often
> > you can see your boot messages or similar stuff even after switcing
> > to another console or even to X. All you need is a local user access
> > to the console.
> 
> Feature not bug.

Read it again. Scrollback should be cleared by console switch,
but it can be recovered using obscure escape sequence.

Time for bugtraq?

-- 
64 bytes from 195.113.31.123: icmp_seq=28 ttl=51 time=448769.1 ms         

Re: information leak in vga console scrollback buffer

[Chris Wedgwood]

On Tue, Jun 22, 2004 at 05:32:32PM +0200, Pavel Machek wrote:

> Time for bugtraq?

Only if you want sensationalized crap, might as well ell suckdork as
well then and let the drooling sycophants rant on with general lack of
clue.

Or we could fix the problem, a patch was proposed someone who knows
this code should eyyeball that.


  --cw

Re: information leak in vga console scrollback buffer

[Pavel Machek]

Hi!

> > Time for bugtraq?
> 
> Only if you want sensationalized crap, might as well ell suckdork as
> well then and let the drooling sycophants rant on with general lack of
> clue.
> 
> Or we could fix the problem, a patch was proposed someone who knows
> this code should eyyeball that.

I was not aware that such patch exists. Anyway bugtraq posting is easy
way to get it tested, and fixed in 2.2 too.
								Pavel


-- 
People were complaining that M$ turns users into beta-testers...
...jr ghea gurz vagb qrirybcref, naq gurl frrz gb yvxr vg gung jnl!