Multiple Windows Applications | Unencrypted Sensitive Information Storage in Memory

Multiple Windows Applications | Unencrypted Sensitive Information Storage in Memory

By YGN Ethical Hacker Group - August 21, 2012

CWE-316: Plain-text Storage in Memory
(http://cwe.mitre.org/data/definitions/316.html)
Attack Phase: Post-Exploitation
Activity Class: Sensitive Data Harvesting

1. OVERVIEW

An insecure application development practice is still prevalent in
popular applications that load sensitive information (i.e. user
credentials) unencrypted in their respective process memory. Remote
attackers who compromise a user's system or malicious softwares could
scan a particular process memory for sensitive information.

2. AFFECTED SOFTWARES

- iTunes (Tested on 10.x)
- pfingoTalk (Tested on version: 4.x)
- pidgin (Tested on version: 2.x)
- Tencent QQ (Tested on version: QQ2009 SP3)
- zFTP Server (Tested on version: 2011-04-13)
- FileZilla (Tested on version 3.x)
- ...

3. PROOF-OF-CONCEPT/EXPLOIT

- a) pmdump.exe [Process ID] Process.dump
- b) bin_find.py Process.dump [Password/Username]
or
strings.exe -a -n 5 Process.dump

4. CREDIT

This vulnerability was discovered by Myo Soe, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

5. REFERENCES

Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/%5Bmultiple-apps%5D_plain-text_storage_in_memory
pmdump: http://ntsecurity.nu/toolbox/pmdump/
bin_find.py : http://core.yehg.net/lab/pr0js/tools/bin_find.py
http://core.yehg.net/lab/pr0js/training/view/CWE-316_plaintext-storage-in-memory/
http://www.metasploit.com/modules/post/windows/gather/memory_grep/
http://carnal0wnage.attackresearch.com/2009/03/dumping-memory-to-extract-password.html

#yehg [2012-08-22]