leak of information in counterpane/Bruce Schneier's Password Safe program

From: Valentin Butanescu (valiat_private)
Date: Wed Sep 12 2001 - 18:20:15 PDT

Next message: Brian Smith: "Re: Hushmail.com accounts vulnerable to script attack."

Previous message: Lennard Bakker: "RE: mailto links"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Background : Password Safe (http://www.counterpane.com/passsafe.html)
is a free win9x/2000 utility used to keep all your passwords encrypted on hdd
using Bruce Schneier's symmetric algorithm blowfish.

Version tested : 1.7(1)

Vulnerability : Password Safe has an option (I think is default) to
"lock password database on minimize and prompt on restore" and is
doing a good job, at least this is what I can tell, without source.
And looks like is cleaning the memory so there are no
username/passwords exposed (this is what you expect from a good
designed password utility). However, in some cases the last entered
username remains in memory exposed in cleartext. This is happening
for example if the user had on the screen the window with "Would you like to
set "example_user" as your default username?" This could be also a
windows memory management problem, and there is probably a workaround.

The second problem (and the first in order of importance) is that you
can find cleartext passwords in memory in some cases if you copy the
password to clipboard AND minimize Password Safe with both options
"Clear the password when minimized" and "Lock password database on
minimize and promp on restore" activated. For this is enough to click
in a text box like Start/Run before minimizing Password Safe. The
clipboard is cleared but apparently windows manage to copy the
password in a buffer.

Conclusion: most likely the memory management in windows plays a role
in all this problems. The most simple way to prevent all this problems
is to use a "lock" program that will force an attacker to reboot your
computer in order to "get in" (this will not stop the motivated
attacker to get the memory content directly, but this is not a
technology within the reach of most individuals or organizations).
Do not think that if you are prompted for a password in order to
access the minimized Password Safe your passwords are really secure.
Password Safe is still a good product (as far as I know), but expect a
little less protection if your laptop is stolen while Password Safe is
running minimized.

More details: because I could not find a simple program to
search in memory for win2k I had to make all the tests on a fresh
win95. I expect to have the same results on win98 and ME. No, I did
not run any strange clipboard management program.

That's all for today,
all the best for everyone
Valentin Butanescu.

Next message: Brian Smith: "Re: Hushmail.com accounts vulnerable to script attack."
Previous message: Lennard Bakker: "RE: mailto links"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 10:13:42 PDT