Archive for February, 2012

GNOME @ FOSDEM2012

Thursday, February 16th, 2012

Is this time around again and the FOSDEM happened in Brussels, Belgium. Probably the biggest gathering of Free Software people was a lot colder than last year. It was covered in snow. So badly, that we had big troubles coming into Brussels. It took us almost twice as long to arrive than usual. The streets were packed with cars suffering from the severe conditions.

But all that didn’t stop us (GNOME that is) from having a nice presence. If you know FOSDEM you’d expect the booth to be in a packed and smelly area because all the people try to move along in the tiny hallway. But this year was different because we got a spacious place in a new building. That was cool, because it gave us much more area to move than usual but unfortunately it made the conference much more disconnected as there was yet another building involved. I didn’t even try to visit each and everything.

Anyway, from what I’ve seen, we had quite a good stand. Our friends from OpenSuSE received the most attention though. Rightfully so. Not only because they had almost free beer and nearly free other goodies, but because they had nice hardware, nice demos and nice people to present. Fortunately, we were located just next to our friends from KDE which enabled us to chit chat with well known people and to plan conspiracies for upcoming conferences in 2013. So stay tuned for that.

With the help of local GNOME people, we had our EventsBox which is well equipped. But well, since we had only one Box, we weren’t as well equipped as last time at LinuxTag. We had loads of T-Shirts from the Desktop Summit though which we tried to sell. I especially like the name tags we had. Somebody just got them printed so we looked much more inviting, I guess. Also cool were the posters that we got provided so we could pimp the glass wall behind us. It’s cool that we have people that provide such things just like that. We didn’t have the appropriate tools to handle the posters well. We used regular adhesive tape (which we ran out of in the middle of the day) which kinda destroys the posters. From our KDE friends we got some “blue-tac” or “patafix” which was really really great. Apparently it’s well known in the western end of Europe. I didn’t know it at all, but I now know that we definitely want to have this for the next time.

We also didn’t have blank sheets of paper to write stuff on which was a bit annoying. But well, we didn’t have markers either so we needed to get both first before being able to inform the people about the t-shirt prices.

Needless to say that our demo machine got upgraded to the latest Fedora and that that broke at least the web-cam. I mean it was supported in the last Fedora version so it’d be boring it was supported now, too. But the Fedora people had a nice gimmick to give away: A cheat cube which is just a well cut piece of paper that you can fold up to build a cube. You’re supposed to put that on your desk and use it to retrieve information quickly. I was wondering whether we could make something like that for GNOME Shell. Oh and while we’re at it: Many folks had roll-up displays which look very nice. They are around 1m wide and 2m high and you can have your big design on it. It doesn’t cost all too much but we’d need a proper motif first. So if you have any idea, feel free to discuss that in the wiki. And another thing that was annoying were our flyers. While it’s good that we had some, they were quite outdated. So we badly need some flyer material. Again, in the wiki is the place to show up.

So a big big thanks to the folks that helped out at the booth to make it rock. I hope we can make it work next year again.

There was also, again, a massive keysigning going on and I have to drop a quick rant about all that mess. caff on Fedora is kinda weird. It seems like the defaults in the man page don’t match the code, i.e. keyserver defaults to a different server than the man page states. And very annoying: It’s also different from GPG settings! So while trying to use caff it failed downloading the keys. I guess the server just hit a timeout or blocked my request altogether because it’s so many keys (/.-)
After having that sorted out, gpg asked to hit “y” all the time whether I was sure to sign the keys. Goddamnit. It’s about 100 keys and I sign with 4 private keys or so. Now I have to press 800 keys to get the fork()ing keys signed and mailed. Jesus Christ. It’s fricking 2012 and not 1972 anymore. I just want to conveniently sign the whole damn thing and not buy a new keyboard after each FOSDEM. Not only because I have to type so many keys but also because I feel the urge to smash it into someone face. But not only did I need some shell-fu to get the keys imported, I also needed to fiddle the fingerprints of the official key list because caff wouldn’t accept the fingerprints. The format though, is the format gpg uses to display fingerprints… So I had to do something like

cat /tmp/ksp.txt | tr -d ' ' | tr '\n' ' '

to get the proper format… And yeah, I’ll patch everything.. tomorrow…

Although I haven’t seen much of Brussels this time, I liked it being covered in snow and ice. I hope to be able to get more out of Brussels next time, especially improve my French ;-) So yeah, I’m looking forward to next year.

Dump Firefox passwords using Python (and libnss)

Friday, February 3rd, 2012

I was travelling and I didn’t have my Firefox instance on my laptop. I wanted, however, access some websites and the passwords were stored safely in my Firefox profile at home. Needless to say that I don’t upload my passwords to someone’s server. Back in the day, when I first encountered that problem, there were only ugly options to run the server yourself. Either some PHP garbage or worse: some Java Webapp. I only have so many gigabytes of RAM so I didn’t go that route. FWIW: Now you have a nice Python webapp and it might be interesting to set that up at some stage.

I could have copied the profile to my laptop and then ran Firefox with that profile. But as I use Zotero my profile is really big. And it sounds quite insane, because I only want to get hold of my 20 byte password, and not copy 200MB for that.

Another option might have been to run the Firefox remotely and do X-forwarding to my laptop. But that’d be crucially slow and I thought that I was suffering enough already.

So. I wanted to extract the passwords from the Firefox profile at home. It’s my data after all, right? Turns out, that Firefox (and Thunderbird for that matter) store their passwords encryptedly in a SQLite database. So the database itself is not necessarily encrypted, but the contained data. Turns out later, that you can as well encrypt the database (to then store encrypted passwords).

So a sample line in that database looks like this:

$ sqlite3 signons.sqlite 
SQLite version 3.7.11 2012-03-20 11:35:50
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .schema
CREATE TABLE moz_deleted_logins (id                  INTEGER PRIMARY KEY,guid                TEXT,timeDeleted         INTEGER);
CREATE TABLE moz_disabledHosts (id                 INTEGER PRIMARY KEY,hostname           TEXT UNIQUE ON CONFLICT REPLACE);
CREATE TABLE moz_logins (id                 INTEGER PRIMARY KEY,hostname           TEXT NOT NULL,httpRealm          TEXT,formSubmitURL      TEXT,usernameField      TEXT NOT NULL,passwordField      TEXT NOT NULL,encryptedUsername  TEXT NOT NULL,encryptedPassword  TEXT NOT NULL,guid               TEXT,encType            INTEGER, timeCreated INTEGER, timeLastUsed INTEGER, timePasswordChanged INTEGER, timesUsed INTEGER);
CREATE INDEX moz_logins_encType_index ON moz_logins(encType);
...
...
sqlite> SELECT * FROM moz_logins LIMIT 2;
1|https://nonpublic.foo.bar|Non-Pulic Wiki||||MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFKoZIhvcNAwcECFKoZIhvcNAwcECF|MDIEEPgAAAAAAAAAAAAAACJ75YchXUCAAAAAEwFAYIKoZIhvcNAwcE==|{4711r2d2-2342-4711-6f00b4r6g}|1|1319297071173|1348944692451|1319297071173|6
2|https://orga.bar.foo|ToplevelAuth||||MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECIy5HFAYIKoZIhtnRFAYIKoZIh|MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvFAYIKoZIhBD6PFAYIKoZIh|{45abc67852-4222-45cc-dcc1-729ccc91ceee}|1|1319297071173|1319297071173|1319297071173|1
sqlite> 

You see the columns you’d more or less expect but you cannot make sense out of the actual data.

If I read correctly, some form of 3DES is used to protect the data. But I couldn’t find out enough to decrypt it myself. So my idea then was to reuse the actual libraries that Firefox uses to read data from the database.

I first tried to find examples in the Firefox code and found pwdecrypt. And I even got it built after a couple of hours wrestling with the build system. It’s not fun. You might want to try to get hold of a binary from your distribution.

So my initial attempt was to call out to that binary and parse its output. That worked well enough, but was slow. Also not really elegant and you might not have or not be able to build the pwdecrypt program. Also, it’s a bit stupid to use something different than the actual Firefox. I mean, the code doing the necessary operations is already on your harddisk, so it seems much smarter to reuse that.

Turns out, there is ffpwdcracker to decrypt passwords using libnss. It’s not too ugly using Python’s ctypes. So that’s a way to go. And in fact, it works well enough, after cleaning up loads of things.

Example output of the session is here:


$ python firefox_passwd.py | head
FirefoxSite(id=1, hostname=u'https://nonpublic.foo.bar', httpRealm=u'Non-Pulic Wiki', formSubmitURL=None, usernameField=u'', passwordField=u'', encryptedUsername=u'MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFKoZIhvcNAwcECFKoZIhvcNAwcECF', encryptedPassword=u'MDIEEPgAAAAAAAAAAAAAACJ75YchXUCAAAAAEwFAYIKoZIhvcNAwcE==', guid=u'{4711r2d2-2342-4711-6f00b4r6g}', encType=1, plain_username='wikiuser', plain_password='mypass')
FirefoxSite(id=2, hostname=u'https://orga.bar.foo', httpRealm=u'ToplevelAuth', formSubmitURL=None, usernameField=u'', passwordField=u'', encryptedUsername=u'MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECIy5HFAYIKoZIhtnRFAYIKoZIh', encryptedPassword=u'MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvFAYIKoZIhBD6PFAYIKoZIh', guid=u'{45abc67852-4222-45cc-dcc1-729ccc91ceee}', encType=1, plain_username='suspect', plain_password='susicious')

The file is here: https://hg.cryptobitch.de/firefox-passwords/

It has also been extended to work with Thunderbird and, the bigger problem, with encrypted databases. I couldn’t really find out, how that works. I read some code, especially the above mentioned pwdecrypt program, but couldn’t reimplement it, because I couldn’t find the functions used in the libraries I had. At some stage, I just explained the problem to a friend of mine and while explaining and documenting, which things didn’t work, I accidentally found a solution \o/ So now you can also recover your Firefox passwords from an encrypted storage.