CVE-2018-12356
📋 TL;DR
This vulnerability in Simple Password Store allows attackers to spoof GnuPG signatures on configuration files and extension scripts. Successful exploitation enables password disclosure through key injection and arbitrary code execution via script modification. Users of pass password manager versions 1.7.0 through 1.7.1 are affected.
💻 Affected Systems
- Simple Password Store (pass)
📦 What is this software?
Simple Password Store by Simple Password Store Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all stored passwords and arbitrary code execution with user privileges, potentially leading to full system compromise.
Likely Case
Attackers gain access to stored passwords by injecting their own encryption keys into the configuration.
If Mitigated
Limited impact if proper signature verification and file integrity controls are in place.
🎯 Exploit Status
Exploitation requires write access to configuration files or extension scripts in the password store directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.2 and later
Vendor Advisory: https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
Restart Required: No
Instructions:
1. Update pass using your package manager: 'sudo apt update && sudo apt upgrade pass' (Debian/Ubuntu) or equivalent for your distribution. 2. Verify installation with 'pass version'. 3. Ensure version is 1.7.2 or higher.
🔧 Temporary Workarounds
Manual signature verification
linuxManually verify GnuPG signatures on configuration files before trusting them
gpg --verify config.sig config
Restrict file permissions
linuxSet strict permissions on password store directory to prevent unauthorized modifications
chmod 700 ~/.password-store
chmod 600 ~/.password-store/*
🧯 If You Can't Patch
- Implement strict file integrity monitoring on password store directory
- Use alternative password manager until patched
🔍 How to Verify
Check if Vulnerable:
Check pass version with 'pass version' or 'pass --version'. If output shows 1.7.0 or 1.7.1, system is vulnerable.Check Version:
pass versionVerify Fix Applied:
Run 'pass version' and confirm output shows 1.7.2 or higher. Test signature verification with a known good configuration file.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to ~/.password-store/config or extension scripts
- Failed GnuPG signature verifications
Network Indicators:
- None - this is a local file manipulation vulnerability
SIEM Query:
filemod:path='~/.password-store/*' AND user!=authorized_user🔗 References
- http://openwall.com/lists/oss-security/2018/06/14/3
- http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
- http://seclists.org/fulldisclosure/2019/Apr/38
- http://www.openwall.com/lists/oss-security/2019/04/30/4
- https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
- https://github.com/RUB-NDS/Johnny-You-Are-Fired
- https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
- https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
- http://openwall.com/lists/oss-security/2018/06/14/3
- http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
- http://seclists.org/fulldisclosure/2019/Apr/38
- http://www.openwall.com/lists/oss-security/2019/04/30/4
- https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
- https://github.com/RUB-NDS/Johnny-You-Are-Fired
- https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
- https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
