SecPapers
Discovering passwords in memory Mar 13 2004 05:19AM
Abhishek Kumar (abhishek kumar paladion net)
Hi All,

We have released a paper on "Discovering passwords in memory" that
discusses the dangers of using plain text passwords in memory. The
vulnerability is not new, but we are seeing this in several major
applications today and would like to bring the community's attention to
it. We hope this paper will show how easy it is to exploit this
vulnerability, and encourage developers to take care of this.

A section from the paper is quoted below:

"While servers and applications store passwords encrypted or in digest
form in the hard disk, we have seen several instances when such
encryption is not applied while storing passwords in memory. Frequently
access to memory is not restricted based on privilege levels. Thus
attackers with local access to the system can read the memory and
extract passwords. Using a memory viewer they can locate a specific
process in memory and read its contents that can include passwords.
These passwords could be an administrator password for a server, a user
password for an application, or a database login password. Once a
password is discovered attackers could escalate their privileges in the
application. Thus any application that uses password for authentication
could be vulnerable if it leaves the password unencrypted in memory."

The full paper is available for download at:
http://www.paladion.net/papers/Discovering_Passwords_In_Memory.pdf As
we are concurrently working with the vendors to fix the problem, the
paper does not name the applications that are affected.

Thanks,
Abhishek

Abhishek Kumar
Paladion Networks
http://www.paladion.net

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus