CS401 Cyber Security Spring 2008 LibPurple/Pidgin Password Plugin Jonathan Blount Charles Tullock C. Shaun Wagner
Dec 27, 2015
CS401 Cyber SecuritySpring 2008
LibPurple/PidginPassword Plugin
Jonathan Blount Charles Tullock C. Shaun Wagner
Introductionto
LibPurple
Charles Tullock
What is LibPurple?Open Source Library in C
Instant Messaging Routines
Account Management
LibPurple IntroductionLibPurple Introduction
What is LibPurple?Protocols: AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo!, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ,
Lotus Sametime, SILC, SIMPLE, MySpaceIM, Zephyr
LibPurple IntroductionLibPurple Introduction
What is Pidgin?One application, multiple protocols
simultaneously
Windows and *nix
Default IM program on many *nix platforms
LibPurple IntroductionLibPurple Introduction
Usage of LibPurple
Adium MeeboApollo IM OpenWengoEQO PidginFinch ScatterChatInstantbird Telepathy-Haze
LibPurple IntroductionLibPurple Introduction
Password StoragePasswords in accounts.xml (plain text)
Developers choose no security as opposed to false security.
LibPurple IntroductionLibPurple Introduction
Password OptionsSecurity by obscurity
Control access to plain text file
Encrypt password behind a password
LibPurple IntroductionLibPurple Introduction
Password Behind a PasswordKDE Wallet
Windows: LibCrypt, Credential ManagementGnome Keyring Service
3rd Party Applications
LibPurple IntroductionLibPurple Introduction
Platform Independent Pluginplugin_encrypt_passwords
Encrypts all passwords stored in plain text.Removes passwords from plain text after
encryption.
LibPurple IntroductionLibPurple Introduction
Platform Independent Pluginplugin_encrypt_passwords
plugin_fetch_passwordsUsed to fetch passwords for all accounts
before accounts connect to messaging services.
LibPurple IntroductionLibPurple Introduction
Platform Independent Pluginplugin_encrypt_passwords
plugin_fetch_passwordsplugin_decrypt_passwords
Decrypt all encrypted passwords and place them in the plain text accounts file.
LibPurple IntroductionLibPurple Introduction
Plugin ImpactLibPurple applications are more secure
Same password for multiple systems
Indirect vulnerabilities
LibPurple IntroductionLibPurple Introduction
Questions?
LibPurple IntroductionLibPurple Introduction
KWallet Pluginfor
LibPurple (Pidgin)
C. Shaun Wagner
KWallet is a credentials management application for the K Desktop Environment
(KDE).
KWallet is the preferred method for saving passwords in KDE.
KWallet PluginKWallet Plugin
KWallet Features
Password behind a password encryption
Warns users when programs access passwords
Users may easily manage encrypted data
KWallet PluginKWallet Plugin
Implementing KWallet
Direct API implementation
Messaging bus implementation:
DCOP for KDE3
D-BUS for KDE4
KWallet PluginKWallet Plugin
Goals
Save passwords in KWallet when requested
Fetch passwords from KWallet as needed
Save passwords in plain text when requested
KWallet PluginKWallet Plugin
Goals
Code should be as simple as possible
Code should compile using default makefile
Plugin should work in KDE3 and KDE4
KWallet PluginKWallet Plugin
LibPurple and KWallet
do not integrate easily
KWallet PluginKWallet Plugin
Problem
LibPurple plugins must be written in C
KWallet applications must be written in C++
KWallet PluginKWallet Plugin
Problem
LibPurple plugins must be written in C
KWallet applications must be written in C++
Solution
Wrap required C code in extern “C”
KWallet PluginKWallet Plugin
Problem
KWallet plugin requries Qt headers and compilation with a C++ compiler
KWallet PluginKWallet Plugin
Problem
KWallet plugin requries Qt headers and compilation with a C++ compiler
Solution
Redefine compiler and header includes on the command line for make
KWallet PluginKWallet Plugin
Problem
LibPurple is a GTK+ application
KWallet is a Qt application
GTK+ is incompatible with Qt in many ways
KWallet PluginKWallet Plugin
Problem
GTK+ is incompatible with Qt in many ways
Solution
Manually translate GTK+ types to and from Qt types. Example:
Convert gchar* to char* to QString
KWallet PluginKWallet Plugin
Compiling
Included all Qt libraries
Converted values between GTK+ and Qt
Wrapped C code in extern “C”
Compiled with C++ compiler
KWallet PluginKWallet Plugin
Segmentation Fault
KWallet must have a parent Qt application
KWallet PluginKWallet Plugin
Segmentation Fault
KWallet must have a parent Qt application
Solution
Create an empty (and invisible) KApplication
which is the parent class for all KDE/Qt applications
KWallet PluginKWallet Plugin
Segmentation Fault
KWallet cannot open the default wallet
KWallet PluginKWallet Plugin
Segmentation Fault
KWallet cannot open the default wallet
Solution
Undocumented: The lkwalletclient library must be linked when compiling
KWallet PluginKWallet Plugin
Segmentation Fault
KApplication and KWallet cannot be re-instantiated inside of functions
KWallet PluginKWallet Plugin
Segmentation Fault
KApplication and KWallet cannot be re-instantiated inside of functions
Solution
Make both KApplication and KWallet global
KWallet PluginKWallet Plugin
Beta Test
Encrypt Passwords
KWallet PluginKWallet Plugin
Beta Test
Encrypt Passwords
Successful
All passwords were removed from the plain text file and placed in KWallet
KWallet PluginKWallet Plugin
Beta Test
Fetch Passwords
Successful
All passwords were fetched and attached to the accounts before the accounts
connected to the messaging services
KWallet PluginKWallet Plugin
Beta Test
Decrypt Passwords
KWallet PluginKWallet Plugin
Beta Test
Decrypt Passwords
Successful
All passwords were removed from KWallet and placed in the plain text file
KWallet PluginKWallet Plugin
Beta Test
KDE3 and KDE4 test
Successful
Plugin performed properly in both KDE3 and KDE4 using Pidgin 2.4
KWallet PluginKWallet Plugin
Note on D-BUS
D-BUS is standard application communication service in KDE4
LibPurple has D-BUS functionality in the plugin API
KWallet PluginKWallet Plugin
Questions?
KWallet PluginKWallet Plugin
Windows Pluginfor
LibPurple (Pidgin)
Jonathan Blount
Password Management
Credential Manager
Hard to integrate
Easily hacked
Windows PluginWindows Plugin
Password Management
CryptoAPI
Windows 2000
Data Protection API
Crypt32.dll library
More secure
Windows PluginWindows Plugin
DPAPI
Functions
CryptProtectData
CryptUnprotectData
Windows PluginWindows Plugin
DPAPI
Optional Entropy
Only a user with the same logon credentials as the encrypting user can decrypt the
data
Windows PluginWindows Plugin
DPAPI
Windows PluginWindows Plugin
Environment
Pidgin/LibPurple on Windows using Cygwin
Written in C and makes heavy use of Glib (GTK++)
Link to Windows libraries
Windows PluginWindows Plugin
Environment
No external password management program
Debugging
Windows PluginWindows Plugin
DLL Loading
Load external library
Create the handle to the DLL
Free the library when done
Set pointer to NULL
Windows PluginWindows Plugin
Encryption
Windows PluginWindows Plugin
Storing Binary in Text File
Convert a byte array to a string
Visual C# is one line of code
Windows PluginWindows Plugin
Storing Binary in Text File
Convert a byte array to a string
C is over 20 lines of code
Windows PluginWindows Plugin
Decryption
Windows PluginWindows Plugin
Fetching Passwords
Straightforward
Decrypt Passwords
Load Accounts
Windows PluginWindows Plugin
Beta Testing
Encrypting Passwords: Success
Fetching Passwords: Success
Decrypting Passwords: Success
Windows PluginWindows Plugin
Questions?
Windows PluginWindows Plugin
Demo
LibPurple PluginLibPurple Plugin
KWallet Pluginfor
LibPurple (Pidgin)
C. Shaun Wagner
Windows Pluginfor
LibPurple (Pidgin)
Jonathan Blount