Password mode reveals keystrokes on OS X

GitSquared / edex-ui

A cross-platform, customizable science fiction terminal emulator with advanced monitoring & touchscreen support.

GNU General Public License v3.0

40.35k stars 2.54k forks source link

Password mode reveals keystrokes on OS X #1160

Closed pyrocto closed 2 years ago

pyrocto commented 2 years ago

Technical information

Using version:

[x] master (running from GitHub-published source code, currently v2.2.8-pre)
[ ] latest (latest release, currently v2.2.7)
[ ] vX.X.X (specify other version)

Running on:

[ ] Linux
[ ] Windows
[x] macOS

How comfortable you are with your system and/or IT in general:

[ ] I'm kind of lost, honestly
[ ] I know what's up, I could help you run some commands or checks
[ ] My machine is fully under my control, tell me what you need
[x] I attended Defcon last year

On at least OS X 10.13.6, password mode is not detected properly, so the on-screen keyboard reveals password characters.

pyrocto commented 2 years ago

Looks like the right way to do this is via https://github.com/Gottox/node-termios

GitSquared commented 2 years ago

As stated in the other thread password mode currently isn't automatically triggered.

Termios looks interesting, I understand we should be listening for changes in the ECHO flag? Are we sure that e.g sudo, ssh use it when prompting for passwords?

pyrocto commented 2 years ago

Pretty sure: https://github.com/sudo-project/sudo/blob/main/src/tgetpass.c#L138 https://github.com/openssh/openssh-portable/blob/master/openbsd-compat/readpassphrase.c#L90

pyrocto commented 2 years ago

The maintainer of node-pty at microsoft says we can get the file descriptor out of a terminal: https://twitter.com/Tyriar/status/1426520194986348548

You can get the fd via private API like this: (terminal as any)._fd If this is what you're after, I don't see an issue exposing this as a stable API (and throwing when used on Windows).

pyrocto commented 2 years ago

More info: https://stackoverflow.com/a/68809070/450820

pyrocto commented 2 years ago

On my computer, when the cursor is at the command prompt, neither ICANON nor ECHO is set. Running stty -echo makes no difference to the flags when the cursor is at the prompt.

However, when running a program that expects input, the ICANON flag gets set. When it is set, we can detect the ECHO flag; sudo and ssh turn it off; cat does not. When running something like stty -echo; cat; stty echo, ICANON is set and ECHO unset for the duration of cat.

I think two flags should be stored for the keyboard: the user-activated flag that is currently implemented and a new ICANON+ECHO-controlled flag. If either one says to disable the keyboard, it will.

GitSquared commented 2 years ago

I think two flags should be stored for the keyboard: the user-activated flag that is currently implemented and a new ICANON+ECHO-controlled flag. If either one says to disable the keyboard, it will.

Or maybe just fire an "event" when the echo flag is detected on the term and toggle password mode?

pyrocto commented 2 years ago

I don't know how to register an event handler for that. At the moment I've got a solution where I test the flag in the keydownHandler. That solution suffices for sudo and ssh. I suppose it would also be possible to query it periodically using setInterval.

My concern is the situation where someone runs stty -echo at the prompt and then types something private at the next prompt. The flags provided by termios do not change in that scenario. The only way I know of to stop the keyboard from leaking info there is to use the manually activated password mode.