Re: [Full-disclosure] Google Talk cleartext credentials in process memory
From: Kurt Grutzmacher (grutz_at_jingojango.net)
Date: 11/30/05
- Previous message: Mike Klein: "Re: [Full-disclosure] Paypal phishing attempt"
- In reply to: Nasko Oskov: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
- Next in thread: Brian Dessent: "Re: [Full-disclosure] Google Talk cleartext credentials in processmemory"
- Reply: Brian Dessent: "Re: [Full-disclosure] Google Talk cleartext credentials in processmemory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 19:06:37 -0800 To: full-disclosure@lists.grok.org.uk
Nasko Oskov wrote:
>If you want to protect the credentials in memory from dumps that go to
>Microsoft, why not use CryptProtectMemory() instead of home-grown
>obfuscation? This function encrypts the memory with a key that changes
>over reboots, so even if you send a dump to MS, they wouldn't know how
>to decrypt it.
>
>
We have a long list of applications that store credentials cleartext in
memory. I can only remember a few but it's stuff like Google Talk,
PuTTY's SSH Key Agent, Lotus Sametime, .net apps, even XPsp0/1 and the
old Novell GINA.
While the attack method of "sending a trojan that grabs this stuff" is
an easy one to make, lets look at this from the perspective of an inside
attacker who gains control of an administrator's workstation. It would
be easier for the attacker to pull the password from memory and use it
rather than placing the trojan, waiting for it to be executed, getting
the result, etc. All that code laying around is just waiting to be
caught. If they pull the credentials from some running process there's
NO interraction required and no waiting around for the keylogger to get
caught.
Sure a REALLY GOOD attacker would backdoor the system but again, the
more traces you leave the more you're begging to be caught.
We as security freaks have hounded and hounded on using secure methods
to transport credentials. NTLMv2, SSL, SSH, etc. etc. We also have asked
that applications not store our passwords in the clear either. MD5, DES,
AES, etc. These are things that we could solve with a bit of programming
and harrassment. Now it's time for local applications to get the hint as
well. If you only need the password once to log in to the server with,
clear out the freaking memory as soon as possible.
If you need to resend credentials then use some sort of a session key
that will expire or be refreshed.
Just stop keeping our secrets laying around in the "open." That's all we
ask.
grutz;
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Mike Klein: "Re: [Full-disclosure] Paypal phishing attempt"
- In reply to: Nasko Oskov: "Re: [Full-disclosure] Google Talk cleartext credentials in process memory"
- Next in thread: Brian Dessent: "Re: [Full-disclosure] Google Talk cleartext credentials in processmemory"
- Reply: Brian Dessent: "Re: [Full-disclosure] Google Talk cleartext credentials in processmemory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
