lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9969CF31A0D6D411BC4B00508BB38E84031F4D94@BAIMSG4>
Date: Mon, 14 Apr 2003 11:32:27 -0300
From: OTERO Hernan Gustavo EDS <bazhgo@...hint.net>
To: bugtraq@...urityfocus.com
Subject: ActivCard password cache memory leakage




In December of the 2002 I was analysing the ActivCard product for a client.
During the analysis I noticed that making a memory dump of the process
"scardsrv" was possible to obtain the users stored staticaly in the card.

This issue at first, could seem smaller, although in depth already it has a
very serious character, but deepening the analisis I found that even with
the card pulled out from the pc the users and passwords remained in memory. 

This was reported properly to ActivCard (this can be reed in the mail thread
at next).

This was the answer

Here is the answer from our Product Manager about this issue:

The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data. 
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC. 
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore. (/****NOTE***** This is
not true, I do some test and even when pulled out the card the users and
pass remain in memory area******/)
Regards,
Jensen Toma
 
I have  not recived any news or contact since february, I believe is
convenient to publish this "vulnerability" to accelerate the process of
correction.


Hernán Otero

http://www.xss.com.ar

 

I don´t like this..., but i think this is the only way to accelerate the
patch.

The messagesthread...

 
 
-----Original Message-----
From: OTERO Hernan Gustavo EDS 
Sent: Viernes, 14 de Marzo de 2003 04:58 p.m.
To: 'PUB: Jensen Toma'; 'jlazou@...ivcard.com'
Subject: RE: Technical Support Form Submission


Do you have any advance in this particular issue...?
 
I think we are in time to release this information...
 
Regards,
            Hernán
 
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@...ivcard.com] 
Sent: Miércoles, 12 de Febrero de 2003 02:17 p.m.
To: 'OTERO Hernan Gustavo EDS'
Cc: Jean-Luc Azou
Subject: RE: Technical Support Form Submission


Hernan,
        I would suggest you coordinate with Jean-Luc Azou who is the Product
Marketing Manager for Gold.  He can get you more information for your
publication and status on the next version of Gold.
 
Regards,
           Jensen
 
 
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@...hint.net]
Sent: Wednesday, February 12, 2003 3:27 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission


Jensen,
            there is any news... can i publish this ??
 
Regards,
 
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@...ivcard.com] 
Sent: Viernes, 13 de Diciembre de 2002 06:09 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission


No firm date yet, but currently targetted for late Q1/early Q2 of next year.
 
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@...hint.net]
Sent: Friday, December 13, 2002 12:33 PM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission

Jensen,
            When you expect to release the next version of ActivCard ??
 
Regards,
Hernán Otero
 
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@...ivcard.com] 
Sent: Miércoles, 11 de Diciembre de 2002 09:41 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission


Hernan,
 
Here is the answer from our Product Manager about this issue:
The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data. 
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC. 
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore.
Regards,
Jensen Toma
 
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@...hint.net]
Sent: Tuesday, December 10, 2002 6:55 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission


Could you reproduce the problem? 
Hernán Otero
 
-----Original Message-----
From: OTERO Hernan Gustavo EDS 
Sent: Lunes, 09 de Diciembre de 2002 11:51 a.m.
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission


I will try to collect more information to you, by now I send some answers to
your questions.
 
1) I´m using version ActivCard (R) Gold 2.2 (BN39) October 11th, 2002
 
2) The smart card type 16k ( What other info you need ? ) 
 
3) I´m not working in any way with the DoD.
 
4) I need to take an extra care in the dump of the memory because I cannot
send any private information. This can take some extra time...But if you
want to reproduce the test.  Add some static password to your card, then
only put your card pin ( without using any of the static passwords ) and
using pmdump dump the memory of scardsrv process and you will see the users
and passwords in the memory dump.

Thanks,
        Hernán Otero
 
 
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@...ivcard.com] 
Sent: Jueves, 05 de Diciembre de 2002 04:58 p.m.
To: 'bazhgo@...hint.net'
Subject: RE: Technical Support Form Submission


Hernan, 

Thank you for informing us of this. 

I have a few questions for you which will help me to diagnose and work on
this issue: 

1) What version of ActivCard Gold are you using?  This information can be
found in the readme.txt in the installation package or in c:\program
files\activcard\activcard gold\docs.

2) What type of smart card are you using? 

3) Is this in any way related to the DOD project?  If so, is this related to
RAPIDS? 

4) Could you provide me a copy of the dump and/or the analysis of the dump? 

All of these items will be useful in helping us to analyze the situation. 

Best Regards, 
Jensen Toma 
Regional Manager of Support 
direct: 510.745.6254 
jtoma@...ivcard.com 

 

-----Original Message----- 
From: support@...ivcard.com [mailto:support@...ivcard.com] 
Sent: Thursday, December 05, 2002 9:18 AM 
To: supportweb@...ivcard.com 
Subject: Technical Support Form Submission 


 

technicalsupportformdata 

first:Hernan 

 last:Otero 

email:[email:bazhgo@...hint.net] 

url: 

phone:05411-XXXX-XXXX

fax: 

company:XXXXXXX Argentina 

title:Security Analyst 

country:AR 

contact: 

problem:Making a memory dump of the proccess scardsrv I found all the
statics users and passwords stored in the card in plain text. This is a
security flaw.  ¿Can you tell me if it can be repaired and when? All the
test was made in Windows XP with SCM Microsystems SCR201 Smart Card Reader
and ActivCard Gold 

I will do a report, then in a cordinated release with your patch our upgrade
I will send this report to bugtraq. 

products: 

server:Windows 2000 

server_service_pack: 

other_server: 

workstation:Other 

workstation_service_pack: 

win_98_version: 

win_95_version: 

other_workstation:XP 

message: 

operational:yes 

 production: 

demonstration: 

system_down: 

evaluation: 

different_card: 

different_token: 

different_workstation: 

duplicated: 

different_server: 

reinstalled: 

resolved: 

 business_operations: 

other_products: 

reseller: 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ