private messages on dbus

[khc at hxbc.us]

On Wed, 21 Dec 2011 02:49:41 +0200, Dimitris Glynos wrote:
> On 12/21/2011 01:11 AM, khc at hxbc.us wrote:
>> On Tue, 20 Dec 2011 12:02:38 +0200, Dimitris Glynos wrote:
>>> Hello all,
>>>
>>> I was wondering if pidgin could allow for certain chat types
>>> to be flagged as private and not transmit these over dbus.
>>> I don't know how much dbus is hardwired to pidgin (is it used
>>> also for capturing the messages displayed on the pidgin GUI?)
>>> but the fact that a local attacker can access OTR plaintext
>>> from a dbus session monitor is quite unnerving.
>>
>> a local attacker can already ptrace the pidgin process and do
>> pretty much anything.
>
> Yes, the word 'local' is used incorrectly in the original post.
> Consider a remote attacker that exploits some app running
> in the same desktop session as pidgin. It is trivial
> to fork-exec a dbus session monitor from there and retrieve the
> sensitive info.
>
> Now, regarding ptrace although it was generally possible in
> the past to attach to processes of the same user, this has
> been restricted somewhat in modern distro's. Specifically,
> distro's like Ubuntu allow (non-root) ptrace only to
> processes that are children of the ptrace-caller.

Good point, I remember reading about that. However, in the case of
pidgin, one can still drop a plugin and cause pidgin to load that
plugin via dbus (not sure if that actually works, but the code
should be there already) / wait til next time pidgin is launched.

Not that simply because workarounds are possible there shouldn't
be a way to make them more visible, but I just wanted to point
out that there are still other ways to make pidgin do pretty
much anything once you have local access. SE-Linux and others
can help though.

-khc