| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3828402420.20030803170319@iname.com> Date: Sun, 3 Aug 2003 17:03:19 +0200 From: vali@...me.com To: bugtraq@...urityfocus.com Subject: leak of information in counterpane/Bruce Schneier's (now open source) Password Safe program Program description: --- Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Originally created by Bruce Schneier's Counterpane Labs, Password Safe is now opening it's source, and development and maintenance has been handed off to Jim Russell. Currently, the PasswordSafe Open Source project is being administered by Rony Shapiro. --- Versions affected: 1.92b (latest) - tested both with win2k and XP. Description: about two years ago I was reporting here http://www.securityfocus.com/archive/1/213931 about some rare circumstances in which Password Safe will leave cleartext in memory even when used in the most safest configuration. However, with the current version the situation is even worse - the option "Clear the clipboard when minimized" is not helping at all - you can still recover the last password used from the memory. How to reproduce: run password safe as usual, be sure to have the options "Clear the clipboard when minimized", "Lock password database on minimize" selected. Copy a password into clipboard (right click -> copy password to clipboard) and minimize Password Safe. Now the password should be erased, but it's not ! You can find the password very easy - for example run winhex (the attacker can have winhex on a floppy, it doesn't have to be installed), open the virtual memory associated to the process Pwsafe, look into it (or dump to a file and then use strings on that file). The password is there; one thing worth mentioning - without the first character. But this is not a problem, even if the first character is hard to guess (random password) most systems can be brute-forced without any problem even with "bare hands". Solution: not much to say ... just don't trust Password Safe when minimized ... use the win2k/xp lock feature, keep your computer in a safe, things like that. That's all, have a nice day, Valentin (Vali) Butanescu --------- Disclaimer Nothing I say here is endorsed, encouraged, ordered, or otherwise approved by my employer (hmmmm, WHAT employer ?)
Powered by blists - more mailing lists