Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Adding manpower to a late software project makes it later. -- F. Brooks, "The Mythical Man-Month"


computers / Security / bug in boxs

SubjectAuthor
* bug in boxsanonymous
`- bug in boxsAnonUser

1
bug in boxs

<6959c51586703f6efd09cfaaeb3c3632$1@def2.i2p>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=60&group=rocksolid.shared.security#60

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!def2!.POSTED.localhost!not-for-mail
From: anonymous@def2.anon (anonymous)
Newsgroups: rocksolid.shared.security
Subject: bug in boxs
Date: Sat, 28 Sep 2019 21:45:29 -0000 (UTC)
Organization: def2org
Message-ID: <6959c51586703f6efd09cfaaeb3c3632$1@def2.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 28 Sep 2019 21:45:29 -0000 (UTC)
Injection-Info: def2.org; posting-host="localhost:127.0.0.1";
logging-data="6641"; mail-complaints-to="usenet@def2.org"
 by: anonymous - Sat, 28 Sep 2019 21:45 UTC

overview:

due to a bug in boxs (boxs.i2p), private boxes could be accessed without
the keys once they had been unlocked with the right key, for ca. 10 min.
this enabled attackers to have full access to the boxes if they managed to
send a request at roughly the same time as the rightful owner. sending
requests every five minutes would have achieved this as well.

the service was taken offline after the bug had been detected, and the bug
has been fixed. no attacks of this kind have been recognized (still could
have happened, of course).

technical background:

the function check_keys validated the key given by the user in the
querystring by decrypting a test file, using this key as the password to
the private key. if the right key was given, the test file could be
decrypted and the box was opened. if not, there was an error message.
the problem was that gpg kept the access to the private key open for a
certain amount of time after the first successful access to it. as a
consequence, every access after the first was possible without supplying a
key at all.
this behaviour of gpg was unexpected for me, but a known issue that
created some threads on serverfault et al.
it would appear that this feature of gpg can be turned off, but the method
seems to be complex and not very reliable.
so, a different approach was used to remedy the situation, which was to do
an additional check against a hashed salt of the key.

unfortunately, the access to private boxes created before the code update
is not possible anymore. they can still be deleted.

sorry for any trouble this may cause, but i felt it is better to cut the
service in this case than to offer an unsafe service.

my own new private box is this:
http://boxs.i2p/?Z7IqE

cheers

trw

Posted on def2

Re: bug in boxs

<5ee042bda71ced82b361d024a730a579$1@news.novabbs.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=61&group=rocksolid.shared.security#61

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid2!.POSTED.localhost!not-for-mail
From: AnonUser@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Re: bug in boxs
Date: Sat, 28 Sep 2019 22:34:11 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <5ee042bda71ced82b361d024a730a579$1@news.novabbs.com>
References: <6959c51586703f6efd09cfaaeb3c3632$1@def2.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 28 Sep 2019 22:34:11 -0000 (UTC)
Injection-Info: novabbs.com; posting-account="retrobbs1"; posting-host="localhost:127.0.0.1";
logging-data="25464"; mail-complaints-to="usenet@novabbs.com"
User-Agent: rslight (http://news.novabbs.com)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$w859iftiEGFIXYN7HrzwquyMbzAOrEAKFAVDRbaaay5juiu0GbwP2
 by: AnonUser - Sat, 28 Sep 2019 22:34 UTC

anonymous wrote:

> the service was taken offline after the bug had been detected, and the bug
> has been fixed. no attacks of this kind have been recognized (still could
> have happened, of course).

Great that you addressed this as quickly as you could. Thanks for keeping
security as a top priority!

> sorry for any trouble this may cause, but i felt it is better to cut the
> service in this case than to offer an unsafe service.

It's a good service and you've proven you take security seriously.

--
Posted on Rocksolid Light

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor