Full Disclosure mailing list archives
Re: Google Talk cleartext credentials in process memory
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Tue, 29 Nov 2005 19:06:37 -0800
Nasko Oskov wrote:
We have a long list of applications that store credentials cleartext in memory. I can only remember a few but it's stuff like Google Talk, PuTTY's SSH Key Agent, Lotus Sametime, .net apps, even XPsp0/1 and the old Novell GINA.If you want to protect the credentials in memory from dumps that go to Microsoft, why not use CryptProtectMemory() instead of home-grown obfuscation? This function encrypts the memory with a key that changes over reboots, so even if you send a dump to MS, they wouldn't know how to decrypt it.
While the attack method of "sending a trojan that grabs this stuff" is an easy one to make, lets look at this from the perspective of an inside attacker who gains control of an administrator's workstation. It would be easier for the attacker to pull the password from memory and use it rather than placing the trojan, waiting for it to be executed, getting the result, etc. All that code laying around is just waiting to be caught. If they pull the credentials from some running process there's NO interraction required and no waiting around for the keylogger to get caught.
Sure a REALLY GOOD attacker would backdoor the system but again, the more traces you leave the more you're begging to be caught.
We as security freaks have hounded and hounded on using secure methods to transport credentials. NTLMv2, SSL, SSH, etc. etc. We also have asked that applications not store our passwords in the clear either. MD5, DES, AES, etc. These are things that we could solve with a bit of programming and harrassment. Now it's time for local applications to get the hint as well. If you only need the password once to log in to the server with, clear out the freaking memory as soon as possible.
If you need to resend credentials then use some sort of a session key that will expire or be refreshed.
Just stop keeping our secrets laying around in the "open." That's all we ask.
grutz; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Talk cleartext credentials in process memory pagvac (Nov 28)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory 6ackpace (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory pagvac (Nov 29)
- Re: Google Talk cleartext credentials in process memory 6ackpace (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory pagvac (Nov 29)
- Re: Google Talk cleartext credentials in process memory Stelian Ene (Nov 29)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Message not available
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory Nasko Oskov (Nov 29)
- Re: Google Talk cleartext credentials in process memory Jaroslaw Sajko (Nov 29)
- Re: Google Talk cleartext credentials in process memory Georgi Guninski (Nov 29)
- Re: Google Talk cleartext credentials in process memory Kurt Grutzmacher (Nov 29)
- Re: Google Talk cleartext credentials in processmemory Brian Dessent (Nov 29)
- Re: Google Talk cleartext credentials in processmemory Kurt Grutzmacher (Nov 30)
- Re: Re: Google Talk cleartext credentials in processmemory pagvac (Nov 29)