WolfMUD: Journal for Tuesday, 2nd May, 2017


  Up to Main Index                               Up to Journal for May, 2017

                      JOURNAL FOR TUESDAY 2ND MAY, 2017
______________________________________________________________________________

SUBJECT: More on the security update
   DATE: Tue  2 May 23:31:22 BST 2017

After yesterday’s security update[1] I’ve been asked quite a few questions
which I will try to answer here, with as much information as I can, so as many
people see it as possible.

The security issue was a local information disclosure vulnerability. For the
vulnerability to be exploitable a user must gain local access to the machine
the WolfMUD server is running on. The user must then have access to either a
heapdump file or the WolfMUD server’s memory. The heapdump file or memory may
contain user passwords in plain text that linger in memory after use.

The heapdump file is produced via ‘#DEBUG heapdump’ when logged into WolfMUD.
The #DEBUG command was only available on the public dev git branch — not in a
publicly released version. The #DEBUG command also has to be enabled by
setting Debug.AllowDebug to true in the data/config.wrj configuration file.
The worst error made here was that the heapdump file was world readable — this
has been corrected in the security update.

For any version of WolfMUD it is possible that clear text passwords lingering
in memory could have been discovered — the risk is deemed minimal due to local
access being required with elevated permissions and tooling available. Access
to the server’s memory is usually accomplished using debugging tools, for
example gdb and gcore. However a local user must first gain permissions to the
process in order for the tools to work. Any user who can accomplish this is
already a potential threat to the whole machine and not just to the WolfMUD
server!

On Linux and Unix like systems a very simple and secure environment[2][3] to
restrict access to the WolfMUD server, its files and memory can be setup by
creating a separate user and group under which the server runs. WolfMUD can
then be installed in the separate user’s home directory and all files can be
owned by that user. Access will then only be via the separate user/group or
privileged users such as root.

Not having used Windows for a great many years[4], I don’t have anything to
say about WolfMUD on Windows. I’d rather plead my ignorance than hit Wikipedia
for 5 minutes, then spout some nonsense that puts users at risk.

The actual information disclosure is due to the fact WolfMUD reads input from
the player and stores it in a variable. That variable is in memory. Memory can
be dumped to a file or inspected directly — gaining access to the data stored
in the variable. This is not a problem unique to WolfMUD or Go — any program
written in any language will store data in variables in memory.

To mitigate the problem WolfMUD now retains input for as short a time as
possible and does not depend on garbage collection to dispose of data after
use. Care is taken to not create additional copies of input via appending to
slices — in which case the copy would linger until garbage collected. Care is
also take to write zero bytes into slices before releasing them for garbage
collection. Any files created by WolfMUD — blockprof, cpuprof, heapdump,
memprof and player account files — are only readable and writeable by the user
and group the WolfMUD server is running as.

With these precautions there remains a brief window of opportunity — between
WolfMUD reading input and processing it — where plain text passwords will be
held in memory. Running WolfMUD in a secure environment with restricted access
will prevent the memory from being snooped on as much as possible.

To put things into perspective, all of this pales in comparison to the fact
that WolfMUD uses Telnet where there is the issue of plain text passwords
being sent across an untrusted network — the internet.

If anyone still has questions: diddymus@wolfmud.org

--
Diddymus

  [1] Journal entry for 1st May, 2017: 1.html

  [2] Some people asked about running WolfMUD in a chroot. Chroot is designed
      to stop users and processes “getting out” not users “getting in”. But,
      the WolfMUD server can be run in a very minimal chroot with only the
      following system files available:
        /lib/x86_64-linux-gnu/libc.so.6
        /lib/x86_64-linux-gnu/libpthread.so.0
        /lib64/ld-linux-x86-64.so.2
      This is on a 64-bit x86 Debian system. The command ‘ldd server’ will
      show you what files are needed, but you can omit linux-vdso.so.1.

  [3] If there is available hardware, for example a Raspberry PI, that can be
      dedicated to running WolfMUD then a small script that starts networking
      and then calls the server executable can be specified for the init
      kernel boot parameter. See also: ../../2012/12/20.html

  [4] I have a copy of Windows 10 Pro running in a VM for Work to test
      websites in Internet Explorer. I also sneak in some WolfMUD testing.
      That’s all I use Windows for, nothing else, not even games.


  Up to Main Index                               Up to Journal for May, 2017