Password-related vulnerability with SDDM and Plasma Wayland session

Feedback
, , ,
21 
$ echo $XDG_SESSION_TYPE
x11
22

inxi -SGxx

23

Now I am getting somewhere - reproducable in first try.

1 Like
24

Holy macaroni! I see this too.
Breath2 theme, no SDDM wallpaper, no “List users” mode.
Breeze theme is fine, there’s no button to show password there so… But what will happen if it is added (by user config or through updates, for example) I wonder…
What’s interesting is that Breath2 is fine when “List users” mode (the default one) is active, as it lacks “Show password” button, but not only that, with default settings for Breath I couldn’t reproduce this because all I saw when switching back to tty1 was a black screen with a mouse cursor.

UPD: Nope. That black screen was a temporary thing. After messing with Breath2 settings a bit, I can reproduce it every time with any settings. That sucks!

25

I think this is a twofold issue

  1. sddm does not blank the screen upon login
  2. the show password option which is not present on all themes

@bogdancovaciu
Is the show password option only on Breath2 theme?

26

Yes, some members asked why is not there and me and @LordTermor decided to enable it only in Breath2.
Still not able to reproduce the issue mentioned, and that is why i asked for confirmation from other forum members but also from team members.

27

Steps to reproduce on bare-metal - I don’t know if wayland works with a vm

  1. Install Manjaro KDE - a default 21.1.6 minimal installation.
  2. Reboot - login - install the package plasma-wayland-session
  3. Logout - select wayland session - type password - reveal password - login
  4. Switch back to TTY1 to see the password

KDE Neon test

To gain some additional insight and comparison I have installed KDE Neon on my test system (Acer Aspire ES1-432).

Using the settings manager I found a theme with a reveal password button (AbstractLinuxTux) and applied it.

I logged out - plasma session - typed in password - reveal password - login - switch back to TTY1 - black screen.

Maybe worth looking into how the tested theme - how they handle blanking the screen upon login?

28

Yeah also try setting another wallpaper for Breath2 theme or clear it using respective Systemsettings module.
My message above updated with more details how it has gone from “can’t reproduce” to “OHSHI~”

1 Like
29

It is a known issue to KDE developers. That is why the Breeze theme is not having that button. So it is recommended for now to hide that button as a workaround. However, people who know how to modify settings can unhide the password after all. Hence we don’t install Wayland session by default.

1 Like
30

Ok, that in itself is an issue, and i was able to reproduce on Arch install. Worse than that, with multiple users, the TTY1 is hold on for the TTY2 session for first user, the TTY3 is hold on for the session displayed on TTY4 for second user, and both show the password with the number of characters the password has.

For me the issue seems to be SDDM.

It works with VBox too, but my Manjaro installs only show black screen no matter what, even on native install.

It has to edit the theme.

31

Why the issue on the sddm's github page (linked in initial post) is still open with no emergency patch applied?

Is it that hard to clear a text field after password check to prevent one of severest vulnerabilities? That functionality is already present if to enter wrong password and hit Enter: the field got cleared after this. So it nothing to develop, it is just re-use an already existing functionality only.

It is a single line code fix - just to import and to call that already written function only. Why still no fix from sddm developers and to issue of emergency update? I shocked.

Probably the issue was poor described with no details provided, for example exact steps to reproduce.

32

Could we try to issue our fix according to the How a user's password can be viewed in SDDM after logging into a Plasma Wayland session ¡ Issue #1463 ¡ sddm/sddm ¡ GitHub suggestion?

I know it is bad idea to patch in downstream levels only (by each downscream software authors), but just in case if text field cleanup will take years to fix in original repo. It is already 11 days opened with no easy visible tries to fix (but may be it is a vacation or illness, I really hope it is the first variant only).

33

Somebody, please help: please provide a pull request with those changes How a user's password can be viewed in SDDM after logging into a Plasma Wayland session ¡ Issue #1463 ¡ sddm/sddm ¡ GitHub
@linux-aarhus

34

just did exactly the same thing for Breath2 theme:

3 Likes
35

This alone is not enough, SDDM greeter needs a patch too.

1 Like
36

It’s not a greeter but a default theme. If somebody use it of course it’s worth it to fix it there also.

37

Ah OK I haven’t dug that deep.
However I tried to apply exactly what you did here locally on my laptop and I still can see my password after login and switching to SDDM screen when using Breath2 theme…
There should be something else done or this approach simply doesn’t work in the first place.

38

I can’t see the greeter after login so I don’t know how I can debug it

39

Why the idea to fix “only for me” / for current usage scenario should be preferred over general vulnerability fix, not a single aspect of one case only?

To fix severe vulnerabilities only-for-me/for certain case/usage scenario is awful idea to implement. The git’s post suggests to do it in three places.

40

Because it’s temporary solution.
I personally don’t want to dive into sddm code and check how to run wayland on the same tty as sddm greeter.

1 Like