Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical FW: Discovering passwords in memory

  • From: Howell, Paul
  • Date: Tue Mar 16 15:54:15 2004 

-----Original Message-----
From: Abhishek Kumar [mailto:abhishek.kumar@paladion.net] 
Sent: Saturday, March 13, 2004 12:20 AM
To: secprog@securityfocus.com
Cc: secpapers@securityfocus.com
Subject: Discovering passwords in memory


Hi All,
 
We have released a paper on "Discovering passwords in memory" that discusses
the dangers of using plain text passwords in memory. The vulnerability is
not new, but we are seeing this in several major applications today and
would like to bring the community's attention to it. We hope this paper will
show how easy it is to exploit this vulnerability, and encourage developers
to take care of this. 
 
A section from the paper is quoted below:
 
"While servers and applications store passwords encrypted or in digest form
in the hard disk, we have seen several instances when such encryption is not
applied while storing passwords in memory. Frequently access to memory is
not restricted based on privilege levels. Thus attackers with local access
to the system can read the memory and extract passwords. Using a memory
viewer they can locate a specific process in memory and read its contents
that can include passwords. These passwords could be an administrator
password for a server, a user password for an application, or a database
login password. Once a password is discovered attackers could escalate their
privileges in the application. Thus any application that uses password for
authentication could be vulnerable if it leaves the password unencrypted in
memory."
 
The full paper is available for download at:
http://www.paladion.net/papers/Discovering_Passwords_In_Memory.pdf  As we
are concurrently working with the vendors to fix the problem, the paper does
not name the applications that are affected.
 
Thanks,
Abhishek


Abhishek Kumar
Paladion Networks
http://www.paladion.net


------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.