leak of information in counterpane/Bruce Schneier's (now open source) Password Safe program

From: valiat_private
Date: Sun Aug 03 2003 - 08:03:19 PDT

Next message: Vade 79: "xtokkaetama[v1.0b+]: (missed) buffer overflow exploit."

Previous message: OpenPKG: "OpenPKG Security Engineering now covering 1.2 and 1.3 only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Program description:

---
Password Safe is a tool that allows you to have a different password
for all the different programs and websites that you deal with,
without actually having to remember all those usernames and passwords.

Originally created by Bruce Schneier's Counterpane Labs, Password Safe
is now opening it's source, and development and maintenance has been
handed off to Jim Russell. Currently, the PasswordSafe Open Source
project is being administered by Rony Shapiro.   
---

Versions affected: 1.92b (latest) - tested both with win2k and XP.

Description: about two years ago I was reporting here

http://www.securityfocus.com/archive/1/213931

about some rare circumstances in which Password Safe will leave
cleartext in memory even when used in the most safest configuration.

However, with the current version the situation is even worse - the
option "Clear the clipboard when minimized" is not helping at all -
you can still recover the last password used from the memory.

How to reproduce: run password safe as usual, be sure to have the
options "Clear the clipboard when minimized", "Lock password database
on minimize" selected. Copy a password into clipboard (right click ->
copy password to clipboard) and minimize Password Safe. Now the
password should be erased, but it's not ! You can find the password
very easy - for example run winhex (the attacker can have winhex on a
floppy, it doesn't have to be installed), open the virtual memory
associated to the process Pwsafe, look into it (or dump to a file and
then use strings on that file). The password is there; one thing worth
mentioning - without the first character. But this is not a problem,
even if the first character is hard to guess (random password) most
systems can be brute-forced without any problem even with "bare
hands".

Solution: not much to say ... just don't trust Password Safe when
minimized ... use the win2k/xp lock feature, keep your computer in a
safe, things like that.

That's all, have a nice day,
Valentin (Vali) Butanescu

---------
Disclaimer
Nothing I say here is endorsed, encouraged, ordered, or otherwise
approved by my employer (hmmmm, WHAT employer ?)

Next message: Vade 79: "xtokkaetama[v1.0b+]: (missed) buffer overflow exploit."
Previous message: OpenPKG: "OpenPKG Security Engineering now covering 1.2 and 1.3 only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 10:32:28 PDT