Re: information leak in vga console scrollback buffer

[Kalin KOZHUHAROV <kalin@ThinRope.net>]

Koblinger Egmont wrote:
> On Sun, 13 Jun 2004, Kalin KOZHUHAROV wrote:
> 
> 
>> OK, I think I got what you are trying to point out. To reproduce: 
>> 1. login to a (vga) console.
>> 2. less /etc/services; press space to scroll a few screens
>> 3. logout
>> 4. login again on the same console (possibly as a different user)
>> 5. less /etc/resolv.conf
>> 6. press Up, then Shift+PgUp
>> 
>> What is expected: screen should not scroll past your file.
>> 
>> What happens: You can view the previous text (from
>> /etc/services)!!!
> 
> 
> Here you didn't clear the scrollback buffer. Maybe you (or getty)
> executed a clear or a terminal reset but that only affects the
> visible part and not the scrollback buffer. There's absolutely no
> problem so far since everyone knows that the scrollback buffer only
> disappears when you switch to a different console.

Well, I didn't know obviously, now I know.

> My problem is that with a
> really-not-trivial-command-and-key-combination you can possibly see
> /etc/services (in your example) even _after_ you've switched to a
> different console and you are certain that the scrollback buffer is
> no longer available.
> 
> And then what if it's not /etc/services but some private data of
> yours? Maybe other users can later access it. There's no way you can
> protect yourself against it. And you live in a false belief that your
> private data is scrolled out forever.
> 
> Please forget your own test case. Repeat _exactly_ those steps _I_ 
> described in my original post. Then you'll understand what I'm
> talking about.
I tried at first...

Now I did it again:
1. Login on VT2
2. less /etc/services
3. switch to X (VT8 here) and do something
4. switch back to VT2
5. press Shift+PgUp
6. press Up, then press several times Shift+PgUp

What is expected:
screen should not scroll past the beginnign of /etc/services.

What happens:
I saw a bunch of garbage plus pieces of text (/etc/shadow form previous tests and so on), this is a security flaw, NOT feature.

> You sure won't understand my problem if you believe that I'm wrong
> and want to convience me with your own interpretation of my words and
> your own (completely different) test case. Please stick to exactly
> what I reported.
No, I thought you were right, I was just trying to produce a simple testcase :-(

What I was trying ot prove with my testcase is that
a) if you are using mingetty
AND
b) you switch VT after logout (pressing Alt+Right a few times)
the above mentioned scroll-back flow is not observed.

Ok, after tons of new tries, I reproduced it...

I was thinking that every VT has its own scrollback buffer and you are supposed to see what has been on a given VT.
Now I see that you can see things that have been printed on _other_ VTs :-)

I confirm the bug.

There is no connection with {a,min}getty it seems.


Kalin.

-- 
||///_ o  *****************************
||//'_/>     WWW: http://ThinRope.net/
|||\/<" 
|||\\ ' 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^