RE: Pidgin IM Client Password Disclosure Vulnerability.
Siim:
While I agree with your comments, I cannot help but suggest that maybe the
method of choice could be 'security through obscurity' whereby they take a hash
of the password, with a non-std. hashing mechanism. The idea being that in
today's world where there are so many scr1pt-kiddi3 toolz out there allowing
the avg. Joe Schmoe the capability of analyzing one's memory processes i.e.
Tsearch, memhack etc... It only makes it non-trivial for them to extract the
info needed. This way you are making it a tad more annoying and adding another
buffer they need to bypass :)
Just a thought,
Aras 'Russ' Memisyazici
Systems Administrator
Virginia Tech
-----Original Message-----
From: Siim Põder <siim@xxxxxxxxxxxxxxx>
Sent: Thursday, September 18, 2008 12:58 PM
To: bugtraq@xxxxxxxxxxxxxxxxx <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Pidgin IM Client Password Disclosure Vulnerability.
Hi.
Aditya K Sood wrote:
> The pidgin client inherits client side password disclosure
> vulnerability. The credentials used to
> connect to the required service i.e. username and password is not
> encrypted properly. The credentials
what do you propose? encrypt the password and store the encryption key
in memory? encrypt the password and the encryption key and store the
encryption key of the encryption key in memory?
if your program needs to use a password for pretty much anything, it
needs to be in.... you guessed it - memory.
a seemingly nice way out is to store the hash of the password in memory
and design the service so that you can log in with hash. but once you
think about it and realise that in that case password =
hash(original_password) you can go straight back to the first paragraph.
> can be extracted in clear text by dumping process memory of the live
> pidgin process when a connection
> is set. The vulnerability allows anyone with access to the client system
> to obtain the username and password.
not anyone. anyone with sufficient permissions. have you tried dumping
the memory of a process owned by another user? basically, you either
need to have access as the user running pidgin, or administrator access.
> Additionally, this vulnerability could also be exploited by fooling the
> user to execute malicious code which
> would dump the memory of the process "pidgin.exe"..
are you kidding?
Siim