Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?

44 Got Tips?

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

Keep Reading

Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public

Two models get hot-fixes, er, looks like 77 more to go?

GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin

Maybe it's time to get it gone

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Pair of bug reports show how VM escapes put servers at risk

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Data Center Network Manager bugapalooza with three must-fix flaws

Living on a prayer? Netgear not quite halfway there with patches for 28 out of 79 vulnerable router models

It's been 6 months since researchers spotted RCE flaws

Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

While you're at it, fix Java too

Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago

Not only is Zoom's strong end-to-end encryption not actually end-to-end, its encryption isn't even that strong

Updated Video calls also routed through China, probe discovers

Tech Resources

Driving Immediate Value with a Cloud SIEM

A natively cloud SIEM is purpose-built to get your team up and running quicker than ever before

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

2020 Gartner Market Guide for Network Detection & Response

Read the guide to understand which gap we believe NDR fills in the crowded cyber security market, as well as which vendors can support key security objectives including hybrid and multicloud visibility, faster incident response, and stronger security hygiene.