Re: [Full-disclosure] Google Talk cleartext credentials in process memory

From: Nasko Oskov (nasko_at_netsekure.org)
Date: 11/29/05

Next message: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"

Previous message: Bernhard Mueller: "Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability"
In reply to: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Next in thread: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Georgi Guninski: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Kurt Grutzmacher: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Nov 2005 13:11:47 -0500
To: Jaroslaw Sajko <sloik@parareal.net>

On Tue, Nov 29, 2005 at 11:57:00AM +0100, Jaroslaw Sajko wrote:
> pagvac wrote:
> > Jaroslaw,
> >
> > thanks for your post. You're right, the same issue occurs in *many*
> > applications. However, any vendor that is serious about security will
> > at least attempt to obfuscate the credentials in memory (IMHO).
>
> Thanks for your post too. I think you're right that obfuscation can help
> in some cases. Sometimes the plaintext credentials goes to the Microsoft
> as the part of the crash report. Then if the cerdentials are obfuscated,
> in a correct way, we can prevent Microsoft from collecting our
> credentials. To prevent an attacker from reading credentialas from
> process memory dump we need more complicated mechanism (the dump
> contains all data & code). Therefore cost of implementing the correct
> obfuscation might be uncomparable with the risk of the credential lost
> in such manner. That's why I think the obfuscation isn't necessary. But
> this is of course only my opinion:]

If you want to protect the credentials in memory from dumps that go to
Microsoft, why not use CryptProtectMemory() instead of home-grown
obfuscation? This function encrypts the memory with a key that changes
over reboots, so even if you send a dump to MS, they wouldn't know how
to decrypt it.

--
Nasko Oskov
"A hacker does for love what others would not do for money."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"

Previous message: Bernhard Mueller: "Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability"
In reply to: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Next in thread: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Jaroslaw Sajko: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Georgi Guninski: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Reply: Kurt Grutzmacher: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]