[opensuse-security] Request 311390 - a new password recovery tool
From what I've seen all it does is look for plain text passwords that
All, The below SR is for a new to OBS password recovery tool (LaZagne). the user has visibility to if they knew where to look and present them. I have not done a code review, but I did run it to see what it found. In the case of running it as root, it is not looking in /home/* for passwords, just /etc and /root I know hacking tools are not allowed on OBS, but I argue this is more of an auditing tool in that it lets users know what plain text passwords they have on there system. I can accept it into security:forensics (which is where it was submitted), but I'd appreciate your feedback as to the appropriateness of this package in security:forensics and/or factory before I do that. Per the website (http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html) LaZagne can recover passwords from: ==== browsers - firefox, opera chats - pidgin, jitsi mails - thunderbird adminsys - filezilla, environment variables database - sqldeveloper, squirrel, dbvisualizer wifi - network manager wallet - gnome keyring ==== Summary, With openSUSE 13.2 LaZagne was able to retrieve some passwords for filezilla and wireless lans, but the passwords were being stored in plain text. Thanks Greg ---------- Forwarded message ---------- From: Luigi Baldoni <aloisio@gmx.com> Date: Wed, Jun 10, 2015 at 3:06 AM Subject: Request 311390 created by alois (submit security:forensics/LaZagne) To: Greg Freemyer <Greg.Freemyer@gmail.com>, Marcus Meissner <meissner@suse.com> Visit https://build.opensuse.org/request/show/311390 Description: Retrieves credentials stored locally. Actions: - submit home:alois:branches:security:forensics/LaZagne => security:forensics/LaZagne changes files: -------------- ++++++ new changes file: --- LaZagne.changes +++ LaZagne.changes @@ -0,0 +1,17 @@ +------------------------------------------------------------------- +Fri Jun 5 07:37:17 UTC 2015 - aloisio@gmx.com + +- Update to version 0.71: + * Wifi password module from WPA Supplicant implemented (by rpesche) + +------------------------------------------------------------------- +Sat May 30 12:01:35 UTC 2015 - aloisio@gmx.com + +- Update to version 0.7: + * Fix mozilla bug (special characters were not printed) + +------------------------------------------------------------------- +Wed May 27 11:50:21 UTC 2015 - aloisio@gmx.com + +- Initial version 0.6 + new: ---- LaZagne-0.71.tar.bz2 LaZagne.changes LaZagne.spec spec files: ----------- ++++++ new spec file: --- LaZagne.spec +++ LaZagne.spec @@ -0,0 +1,74 @@ +# +# spec file for package LaZagne +# +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +Name: LaZagne +Version: 0.71 +Release: 0 +Summary: Python tool to decode locally stored passwords +License: GPL-3.0 +Group: Development/Languages/Python +Url: https://github.com/AlessandroZ/LaZagne +Source0: %{name}-%{version}.tar.bz2 +BuildRequires: fdupes +BuildRequires: python-devel +Requires: dbus-1-python +Requires: python-argparse +Requires: python-kde4 +Requires: python-pyasn1 +Requires: python-pycrypto +BuildArch: noarch + +%description +LaZagne is an open source tool to retrieve and decode +credentials stored on your computer. + +%prep +%setup -q + +%build + +%install +pushd Linux/src +mkdir -p %{buildroot}%{python_sitelib}/%{name} +sed -e 's|^# !/|#!/|' -i LaZagne.py +cp LaZagne.py* %{buildroot}%{python_sitelib}/%{name} +cp -a config %{buildroot}%{python_sitelib}/%{name} +cp -a softwares %{buildroot}%{python_sitelib}/%{name} +popd + +pushd %{buildroot}%{python_sitelib}/%{name}/ +%py_compile . +popd + +mkdir -p %{buildroot}%{_bindir} +pushd %{buildroot}%{_bindir} +ln -s %{python_sitelib}/%{name}/%{name}.py . +chmod +x %{buildroot}%{python_sitelib}/%{name}/%{name}.py +popd + +%fdupes -s %{buildroot} + +%files +%defattr(-,root,root) +%doc CHANGELOG LICENSE README.md +%dir %{python_sitelib}/%{name} +%{_bindir}/%{name}.py +%{python_sitelib}/%{name}/%{name}.py* +%{python_sitelib}/%{name}/config +%{python_sitelib}/%{name}/softwares + +%changelog other changes: -------------- ++++++ LaZagne-0.71.tar.bz2 (new) To REVIEW against the previous version: osc request show --diff 311390 To ACCEPT the request: osc request accept 311390 --message="reviewed ok." To DECLINE the request: osc request decline 311390 --message="declined for reason xyz (see ... for background / policy / ...)." To REVOKE the request: osc request revoke 311390 --message="retracted because ..., sorry / thx / see better version ..." -- Configure notifications at https://build.opensuse.org/user/notifications openSUSE Build Service (https://build.opensuse.org/) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 06/10/2015 04:25 PM, Greg Freemyer wrote:
All,
The below SR is for a new to OBS password recovery tool (LaZagne).
From what I've seen all it does is look for plain text passwords that the user has visibility to if they knew where to look and present them. I have not done a code review, but I did run it to see what it found.
In the case of running it as root, it is not looking in /home/* for passwords, just /etc and /root
I know hacking tools are not allowed on OBS, but I argue this is more of an auditing tool in that it lets users know what plain text passwords they have on there system.
I can accept it into security:forensics (which is where it was submitted), but I'd appreciate your feedback as to the appropriateness of this package in security:forensics and/or factory before I do that.
Per the website (http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html) LaZagne can recover passwords from:
==== browsers - firefox, opera chats - pidgin, jitsi mails - thunderbird adminsys - filezilla, environment variables database - sqldeveloper, squirrel, dbvisualizer wifi - network manager wallet - gnome keyring ====
Summary, With openSUSE 13.2 LaZagne was able to retrieve some passwords for filezilla and wireless lans, but the passwords were being stored in plain text.
Thanks Greg
---------- Forwarded message ---------- From: Luigi Baldoni <aloisio@gmx.com> Date: Wed, Jun 10, 2015 at 3:06 AM Subject: Request 311390 created by alois (submit security:forensics/LaZagne) To: Greg Freemyer <Greg.Freemyer@gmail.com>, Marcus Meissner <meissner@suse.com>
Visit https://build.opensuse.org/request/show/311390
Description: Retrieves credentials stored locally.
Actions: - submit home:alois:branches:security:forensics/LaZagne => security:forensics/LaZagne
changes files: --------------
++++++ new changes file: --- LaZagne.changes +++ LaZagne.changes @@ -0,0 +1,17 @@ +------------------------------------------------------------------- +Fri Jun 5 07:37:17 UTC 2015 - aloisio@gmx.com + +- Update to version 0.71: + * Wifi password module from WPA Supplicant implemented (by rpesche) + +------------------------------------------------------------------- +Sat May 30 12:01:35 UTC 2015 - aloisio@gmx.com + +- Update to version 0.7: + * Fix mozilla bug (special characters were not printed) + +------------------------------------------------------------------- +Wed May 27 11:50:21 UTC 2015 - aloisio@gmx.com + +- Initial version 0.6 +
new: ---- LaZagne-0.71.tar.bz2 LaZagne.changes LaZagne.spec
spec files: -----------
++++++ new spec file: --- LaZagne.spec +++ LaZagne.spec @@ -0,0 +1,74 @@ +# +# spec file for package LaZagne +# +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +Name: LaZagne +Version: 0.71 +Release: 0 +Summary: Python tool to decode locally stored passwords +License: GPL-3.0 +Group: Development/Languages/Python +Url: https://github.com/AlessandroZ/LaZagne +Source0: %{name}-%{version}.tar.bz2 +BuildRequires: fdupes +BuildRequires: python-devel +Requires: dbus-1-python +Requires: python-argparse +Requires: python-kde4 +Requires: python-pyasn1 +Requires: python-pycrypto +BuildArch: noarch + +%description +LaZagne is an open source tool to retrieve and decode +credentials stored on your computer. + +%prep +%setup -q + +%build + +%install +pushd Linux/src +mkdir -p %{buildroot}%{python_sitelib}/%{name} +sed -e 's|^# !/|#!/|' -i LaZagne.py +cp LaZagne.py* %{buildroot}%{python_sitelib}/%{name} +cp -a config %{buildroot}%{python_sitelib}/%{name} +cp -a softwares %{buildroot}%{python_sitelib}/%{name} +popd + +pushd %{buildroot}%{python_sitelib}/%{name}/ +%py_compile . +popd + +mkdir -p %{buildroot}%{_bindir} +pushd %{buildroot}%{_bindir} +ln -s %{python_sitelib}/%{name}/%{name}.py . +chmod +x %{buildroot}%{python_sitelib}/%{name}/%{name}.py +popd + +%fdupes -s %{buildroot} + +%files +%defattr(-,root,root) +%doc CHANGELOG LICENSE README.md +%dir %{python_sitelib}/%{name} +%{_bindir}/%{name}.py +%{python_sitelib}/%{name}/%{name}.py* +%{python_sitelib}/%{name}/config +%{python_sitelib}/%{name}/softwares + +%changelog
other changes: --------------
++++++ LaZagne-0.71.tar.bz2 (new)
To REVIEW against the previous version: osc request show --diff 311390
To ACCEPT the request: osc request accept 311390 --message="reviewed ok."
To DECLINE the request: osc request decline 311390 --message="declined for reason xyz (see ... for background / policy / ...)."
To REVOKE the request: osc request revoke 311390 --message="retracted because ..., sorry / thx / see better version ..."
-- Configure notifications at https://build.opensuse.org/user/notifications openSUSE Build Service (https://build.opensuse.org/)
Definitely a good auditing tool to have and security:forensics has my vote for putting it in. -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Jun 10, 2015 at 6:49 PM, Moby <moby@mobsternet.com> wrote:
On 06/10/2015 04:25 PM, Greg Freemyer wrote:
All,
The below SR is for a new to OBS password recovery tool (LaZagne).
From what I've seen all it does is look for plain text passwords that the user has visibility to if they knew where to look and present them. I have not done a code review, but I did run it to see what it found.
In the case of running it as root, it is not looking in /home/* for passwords, just /etc and /root
I know hacking tools are not allowed on OBS, but I argue this is more of an auditing tool in that it lets users know what plain text passwords they have on there system.
I can accept it into security:forensics (which is where it was submitted), but I'd appreciate your feedback as to the appropriateness of this package in security:forensics and/or factory before I do that.
Per the website (http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html) LaZagne can recover passwords from:
==== browsers - firefox, opera chats - pidgin, jitsi mails - thunderbird adminsys - filezilla, environment variables database - sqldeveloper, squirrel, dbvisualizer wifi - network manager wallet - gnome keyring ====
Summary, With openSUSE 13.2 LaZagne was able to retrieve some passwords for filezilla and wireless lans, but the passwords were being stored in plain text.
Thanks Greg
<snip>
Definitely a good auditing tool to have and security:forensics has my vote for putting it in.
-- --Moby
From what I've seen, if it can retrieve a password you should consider
LaZagne is now in security:forensics if anyone wants to try it out. the password easily recovered because it doesn't try very hard. As noted before I ran it as myself, root, and a brand new user. It alerted me to a couple plain text passwords I had stored, so it was useful from that perspective. Greg -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Gesendet von meinem BlackBerry 10-Smartphone. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Greg Freemyer -
Moby -
Richard Cochius