Wednesday, April 9, 2008

Internet Applications: A Local Memory Enumeration To Find Password

From the last few years we have noticed a major progress in developing security life cycle of various business and non-business applications. But does it really enhanced the security of how the application should behave locally? On the other hand, these application developers sometimes left/forget a small glitch of vulnerability in their application which could cause a major loss on the client side including "a senstive information being disclosed". As all of we know that when an application runs, it take some part of a memory which is used for application processing in various contexts. Internet applications such as MSN Messenger, Yahoo, ICQ and more use the memory in the same way but at some point they left the user 'Passwords' open to an attacker.

A malicious adversary or attacker having local access to the system (either remotely or physically) can dump the primary memory of a particular application and gain access to private information like Passwords presented in clear text. Lets take a quick look for MSN Messenger v8.x using a Forensics Tool called "X-Ways Forensics". Although the same could be done using WinHex or similar editors.


As shown in the screenshot, load the 'Primary Memory' chunk of an application into X-Ways tool. This can be easily accomplish by going into Tools -> Open RAM section or simply press Alt+F9.

Now once inside the memory area if you try to search for "Password" ASCII keyword

using Search -> Find Text (Ctrl+F) menu OR search for "OFFSET:0333B585" address in the memory using Position -> Go To Offset (Alt+G) menu. You will find something similar as shown in the second screenshot. You will notice something like:

---------------------------
Version><ps:UIVersion>1</ps:UIVersion><ps:Cookies></ps:Cookies><ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:Request
Params></ps:AuthInfo><wsse:Security><wsse:UsernameToken Id="user"><wsse:Username>xxxxx@xxxxx.com
</wsse:Username><wsse:Password>xxxxxxxxxxxx</wsse:Password></wsse:UsernameToken>

---------------------------

Here exist the sensitive information disclosure/privacy exposure vulnerability which is categorised by MITRE under (CWE ID# 316) as "Plaintext Storage in Memory". Although almost all versions of Microsoft MSN Messenger are exposed to this problem. From my aspect, a public advisory for such vulnerabilty is considered countless for thousands of internet applications folding same behavior in one way or another.

Countermeasures towards this kind of local information disclosure can be assisted using proper cryptographic functions to store and process sensitive information securely from an application memory. However, this can be considered as a design flaw in the application as there is no security policy defined prior to development stage for storing such a sensitive user data.