lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407121105.46280.adi@cg.tuwien.ac.at>
Date: Mon, 12 Jul 2004 11:05:45 +0200
From: Adi Kriegisch <adi@...tuwien.ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on disk


The swapfiles are deleted on startup -- this means even a clean shutdown by 
user leaves the passwords on disk.
So if you loose your powerbook someone might boot it in "target disk mode" and 
will be able to get your password!

Adi

===
> It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory
> containing sensitive data, or using mlock() to avoid swapping.
>
> A quick grep of the swapfiles will show up various morsels:
>
> rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname
> longname
> password
> <user's password here>
> /bin/zsh
> username
> ---
> ... various other occurrences follow
>
>
> Grepping for context around "password" also shows up results, and grepping
> for portions of a Keychain password (differing from the login password)
> will also get results. It appears that loginwindow is one of the apps
> involved, I haven't investigated what else is involved. The amount of
> memory and usage patterns of the machine will affect what gets swapped,
> though loginwindow seems likely to get swapped early since it is seldom
> used after login.
>
> Obviously this is only of interest if an attacker has root (or physical)
> access to a machine, however it does make FileVault or Keychain encryption
> fairly useless. It appears that the swapfiles are removed on shutdown or
> startup, though not wiped - pulling the power from a sleeping machine,
> and/or booting from CD, would quite easily retrieve the password(s).
>
> Reported to Apple on 21 June, I haven't had any response. It'd be nice if
> they at least said "we're taking a look if it's an issue".
>
> Matt


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ