BugTraq
Mac OS X stores login/Keychain/FileVault passwords on disk Jun 25 2004 09:48AM
Matt Johnston (matt ucc asn au) (1 replies)
It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory
containing sensitive data, or using mlock() to avoid swapping.

A quick grep of the swapfiles will show up various morsels:

rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname
longname
password
<user's password here>
/bin/zsh
username
---
... various other occurrences follow

Grepping for context around "password" also shows up results, and grepping
for portions of a Keychain password (differing from the login password)
will also get results. It appears that loginwindow is one of the apps involved,
I haven't investigated what else is involved. The amount of memory and usage
patterns of the machine will affect what gets swapped, though loginwindow seems
likely to get swapped early since it is seldom used after login.

Obviously this is only of interest if an attacker has root (or physical)
access to a machine, however it does make FileVault or Keychain encryption
fairly useless. It appears that the swapfiles are removed on shutdown or
startup, though not wiped - pulling the power from a sleeping machine, and/or
booting from CD, would quite easily retrieve the password(s).

Reported to Apple on 21 June, I haven't had any response. It'd be nice if
they at least said "we're taking a look if it's an issue".

Matt

[ reply ]
Re: Mac OS X stores login/Keychain/FileVault passwords on disk Jul 12 2004 09:05AM
Adi Kriegisch (adi cg tuwien ac at) (2 replies)
Re: Mac OS X stores login/Keychain/FileVault passwords on disk Jul 16 2004 11:55AM
Ray Slakinski (ray slakinski gmail com)
Re: Mac OS X stores login/Keychain/FileVault passwords on disk Jul 15 2004 08:01PM
Theo Van Dinter (felicity kluge net) (1 replies)
Re: Mac OS X stores login/Keychain/FileVault passwords on disk Jul 23 2004 08:08AM
Adi Kriegisch (adi cg tuwien ac at)


 

Privacy Statement
Copyright 2010, SecurityFocus