-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ................................................... .---------------. / NtWaK0 Bugs \ +-----------------------------------------------------------------------. : Affected : PGP 7.x with Outlook will give your passphrase in CLEAR : Type : Passphrase DUMP in CLEAR TEXT : Date : 28-03-2002 : Author : NtWaK0 @ www.SafeHack.com : +-----------------------------------------------------------------------. +--------------------------------------------. Outlook and PGP give out a clear Passphrase \ +----------------------------------------------`------------------------. : +-----------. : Disclaimer \ : +-------------`---------------------------------------------------------. The information in this advisory is believed to be true based on : experiments though it may be false. The opinions expressed in this : advisory and program are my own and NOT of any company. : In Fact I do not work for no one at the present time. : : This material is presented for informational and entertainment purposes : only, and to satisfy the curious. Any activities described in this file : which involve vandalism, theft, or any other illegal activities are : recounted from third-party conversations. I do not condone or encourage : vandalism or theft. I do not accept any liability for anything anyone : does with this information. : Remember: Use a computer in ways that ensure respect for your fellows. : : [ Brief History . . . . . . . . . . . . . . . . . . . . line 43 ]: : [ Outlook and PGP give out a clear Passphrase . . . . . line 78 ]: : [ The Solution . . . . . . . . . . . . . . . . . . . . . line 112 ]: : [ Technical details / Logs . . . . . . . . . . . . . . . line 127 ]: : +-------------. : Brief History \ : +---------------`-------------------------------------------------------. I feel it is important enough to mention this issue to PGP users. : The problem is very important if you use PGP and you care about your : PASSPHRASE. : NOTE: DO NOT THINK YOU ARE THE ONLY ONE WHO KNOW A BIG PASSPHRASE : DR.WATSON KNOW TOO -:) : : Who is affected: : +--------------- : +PGP users with OUTLOOK : : Conditions to replicate the problem: : +----------------------------------- : +PGP 7.x or older : +Outlook 2000 maybe XP is affected too : +Test machine 2000 Professional I did not test YET on NT. : +Be able to crash OUTLOOK while you SIGN a Mail : : Results of the problem: : +---------------------- : : +Getting the user(s) Passphrase(s) in Clear : +Very bad if you the user machine is not protected and you access Dr.wat: +Very bad if the machine is shared and you have access to drwtsn32.log : By default everyone can read at least drwtsn32.log located in : : : For Windows 2000 : C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log : : For NT : C:\Winnt\System32\drwtsn32.log : Sure this is a default install path : : +-----------. : The Problem \ : +-------------`---------------------------------------------------------. : I was sending a mail with an attachment .pdf file. I clicked sign & Send: in Outlook 2000, I got a memory error and Outlook Crash Dumped on me. ;(: after waiting for the memory dump to finish I opend drwtsn32.log just to: see what was wrong. To my surprise I saw my PASSPHRASE in clear, I was : like hmm a passphrase must be only in our heads not on papers or others.: : After thinking a bit about this issue I found it very bad and here is : why. If someone other then you access your drwtsn32.log and if you had : someday crashed outlook while you are signing a mail the chance are they: will get your passphrase in clear if they snoop in your drwtsn32.log. : : Having the passphrase in clear is pretty bad, just think about it for : 5 min and think how PGP/Keys work. : : QUOTE: "About Passphrases From SANS (GSEC)" : +------------------------------------------- : "The passphrase needs to be just that: a phrase. Use a sentence that you: can remember. Use spaces and punctuation as appropriate. Use some : non-alphanumeric data in addition to proper punctuation." : : All that is cool and nice security standard that you SHOULD follow but : whatever you use it will be in clear when the crash happen : : The larger your passphrase, the harder it is to guess and break when : attacks against your public key are undertaken. It is also much easier : to remember a passphrase than a password, and it is much more secure : (as brute force attacks now have to take into account punctuation and : spaces between words). : +--- END QUOTE--- : : +------------. : The Solution \ : +--------------`--------------------------------------------------------. : + Do not crash your Applications :) : + Wait for a fix from vendor : + Delete drwtsn32.log manualy or shedule a job to do so every week or : any time you like. Deleting drwtsn32.log is a good idea it contain : sensitive information. But on the other hand it contain a nice : information that help you debugging your system too. : I suggest you to make a back-up copy of the: file and keep it in a safe : place encrypted then delete from your hard disk : : Or you can use the AT and a batch to delete drwtsn32.log at a specific : date or time : +------------------------. : Technical details / Logs \ : +--------------------------`--------------------------------------------. : : function: TranslateMessageEx 77e1323a 0f8500c40200 jne EnumDesktopWindows+0xd88 (77e3f640) 77e13240 33c0 xor eax,eax 77e13242 c20800 ret 0x8 77e13245 ff742408 push dword ptr [esp+0x8] ss:043bd52b=?? 77e13249 51 push ecx 77e1324a e8b7370000 call GetKeyState+0x92 (77e16a06) 77e1324f ebf1 jmp DialogBoxIndirectParamAorW+0x6ba (77e1eb42) 77e13251 b89a110000 mov eax,0x119a 77e13256 8d542404 lea edx,[esp+0x4] ss:043bd52b=? 77e1325a cd2e int 2e 77e1325c c21000 ret 0x10 *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0370FF78 77575C36 0370FF98 00000000 00000000 00000000 user32!TranslateMessageEx 0370FFB4 77E8758A 0000047C 77595428 0006F204 0000047C winmm!midiOutGetNumDevs 0370FFEC 00000000 77575BB9 0000047C 00000000 037100A0 kernel32!SetFilePointer *----> Raw Stack Dump <----* 0370ff58 63 58 e1 77 98 ff 70 03 - 00 00 00 00 00 00 00 00 cX.w..p......... 0370ff68 00 00 00 00 7c 04 00 00 - 00 00 00 00 27 58 e1 77 ....|.......'X.w 0370ff78 b4 ff 70 03 36 5c 57 77 - 98 ff 70 03 00 00 00 00 ..p.6\Ww..p..... 0370ff88 00 00 00 00 00 00 00 00 - 28 54 59 77 04 f2 06 00 ........(TYw.... 0370ff98 20 20 32 81 ff ff ff ff - 77 0d 43 80 00 00 00 00 2.....w.C..... 0370ffa8 00 00 00 00 00 00 00 00 - 7b 10 43 80 ec ff 70 03 ........{.C...p. 0370ffb8 8a 75 e8 77 7c 04 00 00 - 28 54 59 77 04 f2 06 00 .u.w|...(TYw.... 0370ffc8 7c 04 00 00 00 f0 fa 7f - 00 00 57 77 c0 ff 70 03 |.........Ww..p. 0370ffd8 00 00 57 77 ff ff ff ff - 5b 61 e8 77 80 b5 e8 77 ..Ww....[a.w...w 0370ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 b9 5b 57 77 .............[Ww 0370fff8 7c 04 00 00 00 00 00 00 - a0 00 71 03 00 00 00 00 |.........q..... 03710008 03 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710018 00 00 00 00 00 00 00 00 - a0 00 71 03 00 00 71 03 ..........q...q. 03710028 02 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 03710058 00 00 00 00 00 00 00 00 - a0 07 e4 01 6b 00 00 00 ............k... 03710068 46 47 55 42 00 00 00 00 - PASSPHRASEVALUEISHEREPA FGUB....PASSPHRA 03710078 PASSPHRASEVALUEISHEREPA - PASSPHRASEVALUEISHEREPA ASEVALUESISHEREP 03710088 7d 40 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 AS.............. : Note that the PASSPHRASE is in CLEAR TEXT. : +------------. : The Solution \ : +--------------`--------------------------------------------------------. Before you save a page make sure you check the source. Yes it is not the: best way but at least you know what you are expecting. : +-----------------------------------------------------------------------. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPKOuUPPoW9fFNsN8EQK8vQCg3ggr7GwAxh/W5UZ9LsbOBu2E2HUAmQFY DZuzj8711+US38Ql52yf5j55 =res/ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 17:47:29 PST