Re: Getting passwords from the heap?

From: Dennis McHenry (ronmchat_private)
Date: Tue Jun 26 2001 - 23:33:46 PDT

Next message: Jarno Huuskonen: "Re: m4 and format strings"

Previous message: KF: "m4 and format strings"
In reply to: Felix von Leitner: "Re: Getting passwords from the heap?"
Next in thread: Jason R. Seats: "Re: Getting passwords from the heap?"
Next in thread: H D Moore: "Re: Getting passwords from the heap?"
Reply: Jason R. Seats: "Re: Getting passwords from the heap?"
Reply: Vladimir Kraljevic: "RE: Getting passwords from the heap?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Felix von Leitner" <leitnerat_private>
> This wasn't perchance a Microsoft operating system you were using?
It's been a while since I've done C for a win system, but as I recall Malloc
returns zeroed-out chunks.

My response to Jason's point, though, is that if a program doesn't handle
sensitive information in a prudent manner (preventing it from being swapped
to disk, overwriting the memory space where it was stored, etc.), the
information could indeed be in memory.  I'd label this as a programming
error for the application that left it's sensitive info. sitting around,
rather than an OS problem (I don't recall Windows saying it wiped memory
after closing applications).

If you're using a win box, you can use debug to examine memory remnants.

-Dennis

----- Original Message -----
From: "Felix von Leitner" <leitnerat_private>
To: <vuln-devat_private>
Sent: Tuesday, June 26, 2001 9:55 AM
Subject: Re: Getting passwords from the heap?


> Thus spake Jason Spence (thalakanat_private):
> > I was trying to explain to someone why it's important to do a
> > memset(3) on newly allocated memory by firing up gdb and doing
> > hexdumps of raw uninitialized memory, when I noticed there was what
> > looked like privileged information in the hexdump!
>
> Your operating system is broken, then.
>
> > I don't know very much about the specifics of how malloc works, but is
> > this a valid method of trying to get privileged information from an
> > unprivilieged account?  For example, does memory that root allocates
> > then deallocates become available to user processes via malloc(3)?
>
> Both anonymous mmap and brk (the Unix methods for implementing malloc)
> are specified to return zero-filled pages.
>
> > I'm going to research this some more and put together a report with
> > the feedback I get if it turns out that this is a valid method of
> > attacking a system from a non-root account.
>
> This wasn't perchance a Microsoft operating system you were using?
>
> Felix
>

Next message: Jarno Huuskonen: "Re: m4 and format strings"
Previous message: KF: "m4 and format strings"
In reply to: Felix von Leitner: "Re: Getting passwords from the heap?"
Next in thread: Jason R. Seats: "Re: Getting passwords from the heap?"
Next in thread: H D Moore: "Re: Getting passwords from the heap?"
Reply: Jason R. Seats: "Re: Getting passwords from the heap?"
Reply: Vladimir Kraljevic: "RE: Getting passwords from the heap?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 08:14:11 PDT