Alik Levin's : Sensitive Data

Avoid Manipulating Passwords In Memory - It Is Easy To Reveal

alikl — Sat, 08 Dec 2007 08:55:40 GMT

Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal clear text passwords and what countermeasures to apply.

Summary of steps:

Install WinDbg
Attach to process or open dump file
Load SOS .Net extensions for WinDbg
Enumerate threads
Enumerate objects in thread
Dump object's values
Countermeasures and guidelines

Install WinDbg

Download and install WinDbg as described in How to install Windbg and get your first memory dump.

Attach to process or open dump file

WinDbg can analyze both running processes and memory dumps which conveniently can be taken offsite for further investigation. I've created simple console application that accepts user name and password pair as its parameters and stores in local variables in memory:

static void Main(string[] args)
{
string userName = Console.ReadLine();
string password = Console.ReadLine();

Console.ReadLine();
}

Compile and run the application. I called it SecretsInMemory. This is how it looks when running:

Attach WinDbg to the running application by opening File->Attach to a Process:

and press Ok.

Alternatively, we can create dump file - for detailed how-to refer to How to install Windbg and get your first memory dump.

To Investigate resulting dump file in WinDbg open File->Open Crash Dump

Load SOS .Net extensions for WinDbg

To analyze .Net assemblies we need to load .Net extensions by typing .load sos and hitting Enter:

Enumerate threads

Run !threads command to enlist available threads:

and then choose specific thread - use left most column for thread identification as follows ~[thread number goes here]s:

Enumerate objects in thread

Use !dso command to dump all objects in the thread:

Dump object's values

Use !do <object address> to dump specific object's values. Object address is a second column in the list generated by !dso command, the column named "Object" - just copy and paste it:

The password is revealed either by attaching to the process or analyzing a crash file that was taken offsite.

Countermeasures and guidelines

As rule of thumb avoid using custom built identification and authentication mechanisms and leverage those that the infrastructure offers - preferably Windows Integrated authentication. In case where all options exhausted and there is no other way but accept end user credentials, refer to the following article - Using Credential Management in Windows XP and Windows Server 2003. Techniques described in the article allow to leverage built in mechanism of accepting credentials from end user in more secure manner. It also keeps common familiar look and feel across custom application and built in Windows mechanisms leaving less room for end user confusion.

My related posts:

Authentication Hub

Other resources:

IIS 7 Configuration File - applicationHost.config - Password Management

alikl — Tue, 24 Apr 2007 22:52:57 GMT

From my learning of IIS7 I understand that IIS7's metabase is actually XML configuration file very familiar to me and similar to ASP.NET's web.config. It is called applicationHost.config and sits in C:\Windows\System32\inetsrv\config

My first interest was to see how it manages passwords when specifying specific accounts for application pool.

I created demo application pool called xxxx, then I created demo account and specified my application pool to run under it. Then I navigated to C:\Windows\System32\inetsrv\config\applicationHost.config and opened it Notepad. I needed to run Notepad as administrator since UAC prevents from opening it directly into Notepad (I cannot say it about Visual Studio, which opens it gladly without running as Administrator). The following picture depicts what I found there:

Seems like the password encrypted using RSA and the cipher was stored in the config file, not the clear text password.

Very cool.

Where is the key? Digging deeper...

I learned it from:

http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=992&p=3

http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=992&p=4

Enjoy

Code Inspection - First Look For What To Look For

alikl — Wed, 21 Mar 2007 00:13:56 GMT

Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files?

My good friend FindStr is of great help here:

So first let's find what to look for:

Ildasm.exe secureapp.dll /text | findstr ldstr

This is what I've got using it:

Wouldn't it trigger you think of authorization data doing roundtrip thus vulnerable to tampering and elevation of privileges?

Wouldn't it trigger you think there is some custom authentication mechanism that potentially could be vulnerable thus enabling identity spoofing?

Wouldn't it trigger you think.....

So once you have these strings you use same FindStr to find actual files to inspect:

findstr /S /M /I /d:c:\projects\yourweb "StringOfInterestGoesHere" *.cs

Cheers

SecureString Class Two Real Usages And Counting!

alikl — Mon, 19 Mar 2007 18:03:53 GMT

SecureString Class

"Represents text that should be kept confidential. The text is encrypted for privacy when being used, and deleted from computer memory when no longer needed. This class cannot be inherited. "

I first was very excited about SecureString introduced in .Net FX 2.0 but as I tried to learn it more and more I could not find real scenarios where I can apply it.

So here it comes:

1. Credential Management with the .NET Framework 2.0 - very detailed and useful article.

"Summary: Get an introduction to the Credential Management API that includes functions for user interface handling and lesser-known functions for managing a user's credential set. Also see a .NET class library that dramatically simplifies the task of credential management, for languages such as C# and Visual Basic .NET, and provides a more elegant and robust approach to credential management for C++ developers. (26 printed pages)"

2. X509Certificate2 (String, SecureString) - got this one while reading Support Certificates In Your Applications With The .NET Framework 2.0

"You can also load certificates from .pfx files. However, as I mentioned earlier, .pfx files can be password protected [ed. alikl - SHOULD BE, MUST BE?], and you should supply this password as a SecureString. SecureString encrypts the password internally and tries to minimize exposure of it in Memory, page files, and crash dumps"

More on SecureString is here on .Net Security Blog:

SecureString Redux

Making Strings More Secure

Got more examples? Share please!

Google Code Search - Different Perspective

alikl — Mon, 05 Mar 2007 23:56:59 GMT

Google launches a special treat just for developers ...

I'd like to present it from some different perspective.

Imagine you provide search criteria as follows:

"Initial Catalog" - try it. What do you see?

More like these here

Doesn't it make you want to write more secure code... :) ?

Enjoy