Report that Ricochet running in a VM Triggered Arbitrary Screenshot Program
straumer opened this issue · 7 comments
Hi. I was running ricochet in a Virtualbox VM, turning it off and on a few times. Then at one time a popup came, informing me that a subprocess failed to run, named "scrot". This command takes screenshots. The OS was Trisquel Linux 8.0.
Just want to point this out. Kind of regret running it on my bare system now before I did this. :-p It makes sense though, especially with no update since 2016. This kind of traffic must make you a rather interesting target.
Bit of a shame. I like this program. I hope it or one similar will get adequate support one day to defend against the big guys.
Can you provide more information on the setup? Was the binary from a package manager or was it downloaded from github? Do you have memory dumps / debug traces? What version of Tor was running with it? Can you upload the binary you are using (or send it to me sarah@openprivacy.ca)
I think attributing this to a security vulnerability in ricochet is premature, particular when the attack vectors for Ricochet are very limited to begin with. The code as released underwent an in-depth audit, and while I certainly wouldn't call it bullet proof, the existence of a vulnerability that can a) call an arbitrary binary as a subprocess and b) is being exploited in the wild would be very interesting and surprising.
Thanks,
Sarah
Sorry, I should've taken a snapshot, but I was just taken aback in the moment and shut it down. I wasn't doing any analysis on it, so this was unexpected. I installed ricochet-1.1.4-linux-x86_64.tar.bz2 on that system. I'll get you the whole virtual machine in a moment.
So, while I'm compressing the files. I didn't have any contacts in there, so this would have to be carried out without needing contact approval. I just set up the virtual machine today, got the binary from github as described, installed, and set up an automatic login and startup of ricochet on startup. I ran ricochet a few times as I was testing this automatic startup, then let it just wait for a bit (an hour?), then came back to it and saw the popup message on top of the ricochet window about the failed attempt to start the "scrot" subprocess (there was no scrot on the system, so go figure).
I uploaded two VMs here. One is "ricochet" which was after the incident and one is "ricochet-bak" which is a copy of the same machine taken shortly before the incident. I just wanted to be able to start it clean, in case I'd see suspicious behavior after some time of use. The ricochet package is in the ricochet user's Desktop directory.
Hi! Thanks for uploading the images. From a quick look, it looks like scrot is setup to be the default command to be run in the window manager (openbox) running in the VM - could it be that you triggered this?
Hah! Yes, I reproduced that. That makes me both embarrassed and happy. Sorry about that ^^;
No worries, glad we got to the bottom of this :)