Bugtraq mailing list archives
RE: Pidgin IM Client Password Disclosure Vulnerability.
From: "Memisyazici, Aras" <arasm () vt edu>
Date: Thu, 18 Sep 2008 15:16:18 -0400
Siim: While I agree with your comments, I cannot help but suggest that maybe the method of choice could be 'security through obscurity' whereby they take a hash of the password, with a non-std. hashing mechanism. The idea being that in today's world where there are so many scr1pt-kiddi3 toolz out there allowing the avg. Joe Schmoe the capability of analyzing one's memory processes i.e. Tsearch, memhack etc... It only makes it non-trivial for them to extract the info needed. This way you are making it a tad more annoying and adding another buffer they need to bypass :) Just a thought, Aras 'Russ' Memisyazici Systems Administrator Virginia Tech -----Original Message----- From: Siim Põder <siim () p6drad-teel net> Sent: Thursday, September 18, 2008 12:58 PM To: bugtraq () securityfocus com <bugtraq () securityfocus com> Subject: Re: Pidgin IM Client Password Disclosure Vulnerability. Hi. Aditya K Sood wrote:
The pidgin client inherits client side password disclosure vulnerability. The credentials used to connect to the required service i.e. username and password is not encrypted properly. The credentials
what do you propose? encrypt the password and store the encryption key in memory? encrypt the password and the encryption key and store the encryption key of the encryption key in memory? if your program needs to use a password for pretty much anything, it needs to be in.... you guessed it - memory. a seemingly nice way out is to store the hash of the password in memory and design the service so that you can log in with hash. but once you think about it and realise that in that case password = hash(original_password) you can go straight back to the first paragraph.
can be extracted in clear text by dumping process memory of the live pidgin process when a connection is set. The vulnerability allows anyone with access to the client system to obtain the username and password.
not anyone. anyone with sufficient permissions. have you tried dumping the memory of a process owned by another user? basically, you either need to have access as the user running pidgin, or administrator access.
Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process "pidgin.exe"..
are you kidding? Siim
Current thread:
- Pidgin IM Client Password Disclosure Vulnerability. Aditya K Sood (Sep 17)
- RE: Pidgin IM Client Password Disclosure Vulnerability. Quark IT - Hilton Travis (Sep 18)
- Re: Pidgin IM Client Password Disclosure Vulnerability. Aditya K Sood (Sep 18)
- RE: Pidgin IM Client Password Disclosure Vulnerability. Quark IT - Hilton Travis (Sep 19)
- Re: Pidgin IM Client Password Disclosure Vulnerability. Aditya K Sood (Sep 18)
- <Possible follow-ups>
- RE: Pidgin IM Client Password Disclosure Vulnerability. Memisyazici, Aras (Sep 18)
- Re: Pidgin IM Client Password Disclosure Vulnerability. John Bailey (Sep 19)
- RE: Pidgin IM Client Password Disclosure Vulnerability. Memisyazici, Aras (Sep 19)
- Re: Pidgin IM Client Password Disclosure Vulnerability. John Bailey (Sep 19)
- Re: Pidgin IM Client Password Disclosure Vulnerability. John Bailey (Sep 19)
- Re: Pidgin IM Client Password Disclosure Vulnerability. Steve Shockley (Sep 19)
- RE: Pidgin IM Client Password Disclosure Vulnerability. Quark IT - Hilton Travis (Sep 18)