Vulnerability Development mailing list archives
PGP 7.x with Outlook will give your passphrase in CLEAR
From: "Adonis.No.Spam" <adonis1 () videotron ca>
Date: Thu, 28 Mar 2002 19:10:53 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
.---------------.
/ NtWaK0 Bugs \
+-----------------------------------------------------------------------.
:
Affected : PGP 7.x with Outlook will give your passphrase in CLEAR :
Type : Passphrase DUMP in CLEAR TEXT :
Date : 28-03-2002 :
Author : NtWaK0 @ www.SafeHack.com :
+-----------------------------------------------------------------------.
+--------------------------------------------.
Outlook and PGP give out a clear Passphrase \
+----------------------------------------------`------------------------.
:
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
[ Brief History . . . . . . . . . . . . . . . . . . . . line 43 ]:
:
[ Outlook and PGP give out a clear Passphrase . . . . . line 78 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . line 112 ]:
:
[ Technical details / Logs . . . . . . . . . . . . . . . line 127 ]:
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
I feel it is important enough to mention this issue to PGP users. :
The problem is very important if you use PGP and you care about your :
PASSPHRASE. :
NOTE: DO NOT THINK YOU ARE THE ONLY ONE WHO KNOW A BIG PASSPHRASE :
DR.WATSON KNOW TOO -:) :
:
Who is affected: :
+--------------- :
+PGP users with OUTLOOK :
:
Conditions to replicate the problem: :
+----------------------------------- :
+PGP 7.x or older :
+Outlook 2000 maybe XP is affected too :
+Test machine 2000 Professional I did not test YET on NT. :
+Be able to crash OUTLOOK while you SIGN a Mail :
:
Results of the problem: :
+---------------------- :
:
+Getting the user(s) Passphrase(s) in Clear :
+Very bad if you the user machine is not protected and you access Dr.wat:
+Very bad if the machine is shared and you have access to drwtsn32.log :
By default everyone can read at least drwtsn32.log located in : :
:
For Windows 2000 :
C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log :
:
For NT :
C:\Winnt\System32\drwtsn32.log :
Sure this is a default install path :
:
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
:
I was sending a mail with an attachment .pdf file. I clicked sign & Send:
in Outlook 2000, I got a memory error and Outlook Crash Dumped on me. ;(:
after waiting for the memory dump to finish I opend drwtsn32.log just to:
see what was wrong. To my surprise I saw my PASSPHRASE in clear, I was :
like hmm a passphrase must be only in our heads not on papers or others.:
:
After thinking a bit about this issue I found it very bad and here is :
why. If someone other then you access your drwtsn32.log and if you had :
someday crashed outlook while you are signing a mail the chance are they:
will get your passphrase in clear if they snoop in your drwtsn32.log. :
:
Having the passphrase in clear is pretty bad, just think about it for :
5 min and think how PGP/Keys work. :
:
QUOTE: "About Passphrases From SANS (GSEC)" :
+------------------------------------------- :
"The passphrase needs to be just that: a phrase. Use a sentence that you:
can remember. Use spaces and punctuation as appropriate. Use some :
non-alphanumeric data in addition to proper punctuation." :
:
All that is cool and nice security standard that you SHOULD follow but :
whatever you use it will be in clear when the crash happen :
:
The larger your passphrase, the harder it is to guess and break when :
attacks against your public key are undertaken. It is also much easier :
to remember a passphrase than a password, and it is much more secure :
(as brute force attacks now have to take into account punctuation and :
spaces between words). :
+--- END QUOTE--- :
:
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
:
+ Do not crash your Applications :) :
+ Wait for a fix from vendor :
+ Delete drwtsn32.log manualy or shedule a job to do so every week or :
any time you like. Deleting drwtsn32.log is a good idea it contain :
sensitive information. But on the other hand it contain a nice :
information that help you debugging your system too. :
I suggest you to make a back-up copy of the: file and keep it in a safe :
place encrypted then delete from your hard disk :
:
Or you can use the AT and a batch to delete drwtsn32.log at a specific :
date or time :
+------------------------. :
Technical details / Logs \ :
+--------------------------`--------------------------------------------.
:
:
function: TranslateMessageEx
77e1323a 0f8500c40200 jne EnumDesktopWindows+0xd88 (77e3f640)
77e13240 33c0 xor eax,eax
77e13242 c20800 ret 0x8
77e13245 ff742408 push dword ptr [esp+0x8] ss:043bd52b=??
77e13249 51 push ecx
77e1324a e8b7370000 call GetKeyState+0x92 (77e16a06)
77e1324f ebf1 jmp DialogBoxIndirectParamAorW+0x6ba
(77e1eb42)
77e13251 b89a110000 mov eax,0x119a
77e13256 8d542404 lea edx,[esp+0x4] ss:043bd52b=?
77e1325a cd2e int 2e
77e1325c c21000 ret 0x10
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0370FF78 77575C36 0370FF98 00000000 00000000 00000000
user32!TranslateMessageEx
0370FFB4 77E8758A 0000047C 77595428 0006F204 0000047C
winmm!midiOutGetNumDevs
0370FFEC 00000000 77575BB9 0000047C 00000000 037100A0
kernel32!SetFilePointer
*----> Raw Stack Dump <----*
0370ff58 63 58 e1 77 98 ff 70 03 - 00 00 00 00 00 00 00 00
cX.w..p.........
0370ff68 00 00 00 00 7c 04 00 00 - 00 00 00 00 27 58 e1 77
....|.......'X.w
0370ff78 b4 ff 70 03 36 5c 57 77 - 98 ff 70 03 00 00 00 00
..p.6\Ww..p.....
0370ff88 00 00 00 00 00 00 00 00 - 28 54 59 77 04 f2 06 00
........(TYw....
0370ff98 20 20 32 81 ff ff ff ff - 77 0d 43 80 00 00 00 00
2.....w.C.....
0370ffa8 00 00 00 00 00 00 00 00 - 7b 10 43 80 ec ff 70 03
........{.C...p.
0370ffb8 8a 75 e8 77 7c 04 00 00 - 28 54 59 77 04 f2 06 00
.u.w|...(TYw....
0370ffc8 7c 04 00 00 00 f0 fa 7f - 00 00 57 77 c0 ff 70 03
|.........Ww..p.
0370ffd8 00 00 57 77 ff ff ff ff - 5b 61 e8 77 80 b5 e8 77
..Ww....[a.w...w
0370ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 b9 5b 57 77
.............[Ww
0370fff8 7c 04 00 00 00 00 00 00 - a0 00 71 03 00 00 00 00
|.........q.....
03710008 03 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
03710018 00 00 00 00 00 00 00 00 - a0 00 71 03 00 00 71 03
..........q...q.
03710028 02 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
03710038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
03710048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
03710058 00 00 00 00 00 00 00 00 - a0 07 e4 01 6b 00 00 00
............k...
03710068 46 47 55 42 00 00 00 00 - PASSPHRASEVALUEISHEREPA
FGUB....PASSPHRA
03710078 PASSPHRASEVALUEISHEREPA - PASSPHRASEVALUEISHEREPA
ASEVALUESISHEREP
03710088 7d 40 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
AS..............
:
Note that the PASSPHRASE is in CLEAR TEXT. :
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
Before you save a page make sure you check the source. Yes it is not the:
best way but at least you know what you are expecting. :
+-----------------------------------------------------------------------.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPKOuUPPoW9fFNsN8EQK8vQCg3ggr7GwAxh/W5UZ9LsbOBu2E2HUAmQFY
DZuzj8711+US38Ql52yf5j55
=res/
-----END PGP SIGNATURE-----
Current thread:
- PGP 7.x with Outlook will give your passphrase in CLEAR Adonis.No.Spam (Mar 28)