[Security] Firefox asks for the system keyring password

Nh3xus · 11-23-2013, 07:19 PM

Hi,

I've a question related to the overall security of my system.

I'm running Slackware -current with Alien BoB's flash plugin package.

A few days ago, I was browsing a website that had a flash video embedded.

After a while, Firefox prompted me for the system keyring password.

This is not a normal behavior for a web browser to ask for privilege elevation.

I did cancel the prompt but I've forgotten to track down the resource that Firefox (or the flash plugin, I don't know) wanted to access.

How can I check if my system is compromised by some sort of exploit ?

hitest · 11-23-2013, 07:32 PM

You could try running rkhunter. It will scan your system for known rootkits, exploits.

http://slackbuilds.org/repository/14.0/system/rkhunter/

After you install it, you run it on the CLI as root. Navigate to /usr/bin

# rkhunter --update
# rkhunter --checkall

Nh3xus · 11-24-2013, 12:47 PM

Thanks you, I will give this a go.

Nh3xus · 11-24-2013, 05:31 PM

I just finished running the test.

Apparently, tere's not much to worry about.

Only 3 files were reported is "suspicious" :

Code:

/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis

I think they were detected as false positives since Pat did a few changes in them.

Please tell me if my "analysis" is correct.

While typing this message, the keyring prompt popped again !

I've saved the ps -ax output.

Please tell me what application tried to access some part of the system.

Here's the link of the output :

http://sebsauvage.net/paste/?513a944...CjfcBNzghJybc=

This is really driving me nuts.

jon lee · 11-24-2013, 05:49 PM

That's a highly modified system to be slackware. I take it you installed dropline gnome?
You have a lot of gnome-centric processes to be running xfce with compton.

I would try to capture the WM logs.. startx &> log.txt. If that failed to produce anything, run firefox in a terminal to see if it logs anything. Worse came to worse, you could strace firefox to see where it's coming from.

Nh3xus · 11-24-2013, 06:03 PM

Hi,

No, I've NOT installed Dropline Gnome.

I'm just using a vanilla Xfce.

Compton only needed libconfig as an external dependencies.

I wouldn't use Slackware if I wanted the Gnome stuff.

I will log my WM as you advised.

I will let you know if I have to strace Firefox.

If I don't find it in a few week, I will just resore my Clonezilla backup.

I think something HAS been changed without my approval since this keyring prompt never showed up before I browse this f%$!ing dubious website.

Thanks for your tips

jon lee · 11-24-2013, 06:29 PM

Just to give something to compare your process list with, here is my process list of xfce with compton.
http://pastebin.com/cdYTB9Hq

That should give an idea of some of the things you could eliminate.

Nh3xus · 11-24-2013, 06:57 PM

Quote:

Originally Posted by jon lee

Just to give something to compare your process list with, here is my process list of xfce with compton.
http://pastebin.com/cdYTB9Hq

That should give an idea of some of the things you could eliminate.

Mhh, from a first quick look, you don't have any kind of "gnome" process running.

I think that you have done a Slackware installation with the "menu" or "expert" mode, just like me.

I'm done nothing fancy, just got rid of the whole /KDE/ and /KDEI/ plus some other "server" stuff that I don't need on a laptop.

I'm curious to see what packages you just skipped.

You seems to have skipped everything related to gnome.

I'm a bit buzy this week and I can't analyze this right now but I will compare your ps output with mine in the next weekend.

I will try to do a diff comparison between your output and mine.

Of course, I will let you know.

Thanks you

hitest · 11-24-2013, 07:35 PM

Quote:

Originally Posted by Nh3xus

I just finished running the test.

Apparently, tere's not much to worry about.

Only 3 files were reported is "suspicious" :

Code:

/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis

Yeah, I get those as well. If rkhunter shows zero rootkits I think you're likely okay. Do you have any other evidence that makes you think you've been compromised?

Nh3xus · 11-24-2013, 08:21 PM

Quote:

Originally Posted by hitest

Yeah, I get those as well. If rkhunter shows zero rootkits I think you're likely okay. Do you have any other evidence that makes you think you've been compromised?

Glad to see that these are false positives

I've not that much information at the moment.

I've managed to capture the process that is related to this password prompt :

Code:

 16784 ? SLl 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

It's annoying to be interrupted by this prompt every now and then so I will troubleshoot this during this weekend.

I've thought about such rare cases so I think my Clonezilla backup will come pretty handy for that

But It's still interesting to see if _somehow_ something managed to gain access to restricted ressources.

number22 · 11-25-2013, 01:25 AM

Uninstall gnome-keyring and libgnome-keyring, assuming you don't use firefox/mozilla/seamonkey etc. password management. And, you don't use ssh-agent/gpg-agent. Slackware official release notes doesn't say why these packages are needed, so take out, see if any software becoming broken. good luck.

my bad, I don't use xfce 4. try disabling Launch GNOME services in the Advanced tab of Session Manager in Xfce's settings.
Starting your xfce with --with-ck-launch for ConsoleKit session.
http://docs.xfce.org/xfce/xfce4-session/advanced

Nh3xus · 11-25-2013, 03:30 AM

I don't use ssh-agent/gpg-agent.

But I use the Firefox master password.

I tried a couple of minutes ago to remove the Adobe configuration folder by using this command :

Code:

$ rm -rf ~/.adobe

But still no joy, the password prompt still appears randomly.

I'm will just restore the system in an previous state with my backup.

It look like it's a pain to track down.

As a GNU/Linux user, this is the first time I encounter a possible infection on my machine.

I'm sure that even if rkhunter didn't found anything, I've something that starts along with my session and tries to access something.

Thanks for the advices though.

Ilgar · 11-25-2013, 05:42 AM

You can also try checking the "Sessions and Startup" in Xfce settings to see if any related daemon is autostarted with Xfce.

I don't think that there is an infection here -- I have a similar situation with Google Chrome. After upgrading to 14.1, Google Chrome started asking for keyring password whenever I open an account login page. I've seen this happening in other distributions before. Probably, that functionality was always there but did not activate while using the 14.0 versions of the related packages. I think it is similar to KWallet popping up in a KDE session.

number22 · 11-25-2013, 11:21 AM

Quote:

Originally Posted by Nh3xus

I don't use ssh-agent/gpg-agent.

But I use the Firefox master password.

the culprit likely be Firefox gnome-keyring integration, google it. To make firefox-gnome-keyring use your login keychain, set extensions.gnome-keyring.keyringName to "login" (without the double quotes) in about:config. Note the lowercase 'l' despite the the keychain name having an uppercase 'L' in Seahorse.

Nh3xus · 11-25-2013, 06:27 PM

I'm not sure this will do the trick.

I mean, I can hide the prompt but this will more likely hide the suspicious behavior.

I've installed ClamAV, and I will perform a full scan of the whole drive tomorrow while I'm at my university.

If ClamAV, doesn't report anything, I will resore the system at a previous state and change all the password stored by firefox.

I will reset the master password too.

Browser exploits do exists on GNU/Linux too I guess...