``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ================================================================================ UPDATE FOR: Potential Security Bug in PyBitmessage and/or Python2 Interpreter ================================================================================ Monday, February 8, 2021 This addendum to the prior report supplies additional data on how to replicate the bug events mentioned in the report. Place this script in the PyBitmessage /src directory or subfolder of /src. ================================================================================ #!/usr/bin/env python2 # 'apinotifypath' in keys.dat calls this script. import xmlrpclib import json import time import base64 import api import os import random import subprocess from time import gmtime, strftime exit() ================================================================================ 2. Set the API notify path 'apinotifipath = /full/path/to/script/file 3. Start the PyBitmessage client. 4. The effects will be observed, with ImageMagick screen capture invoked and files with names of python modules generated in the directory when clicking with the mouse. 5. Outside of a security policy sandbox, on some systems the newly generated files may be PostScript or Bitmap images of the captured screen. In the prior report, it was reported that this bug event occurs with the PyBitmessage GUI interface. In additional testing, the bug is also replicated if PyBitmessage is invoked as a daemon without the QT graphical interface. The results are the same, with screen capture invocation and creation of files named after Python modules. This means that a PyBitmessage daemon instance without a GUI is also vulnerable to the screen capture bug. ================================================================================ END OF UPDATE. PRIOR REPORT FOLLOWS. ================================================================================ ================================================================================ PRIOR REPORT ================================================================================ Potential Security Bug in PyBitmessage and/or Python2 Interpreter ================================================================================ Environment: Linux Mint LDME, AKA "LinuxMint 4 Debbie", Debian base system. This was replicated on other LinuxMint Versions, and presumably may occur on other Linux Distros. Scenario: Command line invocation of graphical PyBitmessage client in a jail that catches security violations, seccomp calls, etc. A python script is activated by API notify path. ================================================================================ POTENTIALLY EXPLOITABLE SECURITY EVENT ================================================================================ mport-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. ================================================================================ BEHAVIOR AND RESULTS ================================================================================ Problem: The Python2 module imports activate ImageMagick screen capture which attempts to save ImageMagic / PostScript screenshots to files named after the python modules. When: Immediately as the PyBitmessage QT interface appears on the screen during startup. What: A crosshairs appears and replaces the mouse cursor. It appears to be a imagemagick-type screenshot pointer. This is bizarre and unexpected behavior that has nothing to do with the purpose of the application or any component thereof. In the right conditions the screen captures could happen completely invisibly to the user outside a sandbox setup. Behavior: Interface stops responding to clicks. Entire desktop interface no longer responds to clicks at site of mouse cursor. After about a half dozen clicks the crosshairs disappear. The mouse pointer cursor re-appears and then gui elements are able to respond. Several new files are surreptitiously created in a subfolder during this interaction: the filenames are: api base64 json random subprocess time os xmlrpclib The screen capture occurs for each import statement, and hangs application execution, and after a mouse click the next import statement hangs the interface, until all the imports are processed--one mouse click for each import. The files are created as empty files with no content. It appears the security sandbox prevents screen images from being captured and written to the files. Although ImageMagick is installed on the test system, the security sandbox in this scenario blocks all calls to the screen capture functions. More analysis is necessary to determine exactly what is happening. Whether or not this bug event is malicious or accidental is yet to be determined. It appears that calls to import some python2 libraries are a contributing factor to this event. The filenames are names of python modules. ================================================================================ OUTPUT ================================================================================ Parent pid 26018, child pid 26019 Child process initialized in 48.27 ms 2021-02-08 11:58:51,892 - WARNING - Using default logger configuration Qt: Session management error: None of the authentication protocols specified are supported 2021-02-08 11:58:53,415 - WARNING - defusedxml not available, only use API on a secure, closed network. 2021-02-08 11:58:53,496 - ERROR - socket error on sendto: [Errno 101] Network is unreachable 2021-02-08 11:58:54,860 - WARNING - /home/bitmessage/.namecoin/namecoin.conf unreadable or missing, Namecoin support deactivated 2021-02-08 11:58:54,864 - WARNING - There was a problem testing for a Namecoin daemon. Hiding the Fetch Namecoin ID button 2021-02-08 11:58:54,865 - WARNING - No indicator plugin found 2021-02-08 11:58:54,866 - WARNING - No notification.message plugin found 2021-02-08 11:58:59,868 - WARNING - No notification.sound plugin found import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. import-im6.q16: attempt to perform an operation not allowed by the security policy `PS' @ error/constitute.c/IsCoderAuthorized/408. from: too many arguments ================================================================================ RELATED EVENTS ================================================================================ In some other tests in different conditions imagemagick screenshot images were automatically generated in a subfolder, with the files being named after imported python modules. These screenshot images were full-resolution screenshots of the graphical user interface at the time of the event. In this current instance it appears that no actual image data was written to the files due to sandbox security policy. ================================================================================ SEVERITY RATING ================================================================================ Not yet determined. ================================================================================ MITIGATION ================================================================================ Security mitigation may not be necessary as there is no evidence yet that these screen intercepts are actually transported away from the local host. This needs to be looked into. It may be a bug in Python and not the PyBitmessage codebase. However it has exploit potential. 1. Confine the PyBitmessage application to a secure sandbox that blocks all calls to the screen. 2. Run PyBitmessage sandboxed in daemon mode and use a alternative, trusted interface to connect to the API. 3. Deploy Bitmessage protocol interface using a graphics system that is segregated from Python, ImageMagick and Muffin WM, the latter being heavily dependent upon Python. 4. Do not use the apinotifypath feature of PyBitmessage for any Python application. The Pythonic recursion of import calls contributes to the erratic behavior. Notes: Python interpreter does a lot of memory mapping access. It is possible that recursive import calls from subscripts may open up access to memory, making it writable from within a Python module or application. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTk5SH3geBazsgm31RCU5XxmJFpoQUCYCGZ/wAKCRBCU5XxmJFp oeP3AP9kFeTPgWOxHWBqWlWcUgst+5ogXLwhoGsG5Gq+78QlqAEAlLZxq520QQGC mRPXJiyaIrpGNrKvG5AIKJLv3WDXjwo= =iSIo -----END PGP SIGNATURE-----```