6 April 2009

. IM Memory Dumping

It was around 2003-2004 years when one day I started playing with the way popular Instant Messengers (IM) clients store user's sensitive information in RAM. I was fan of the opensource Gaim IM, so that was my first nominate.

The procedure I had followed was as follows:
1. Installed Gaim on a Windows box
2. Logged in with a fake MSN account
3. Dump the memory contents of a running process to a file using the PMDump by Arne Vidstrom from ntsecurity group.
4. Opened up the file with a Hex editor and presto the password was there in plaintext, I think it was found in two different places.

Doing a little of search with Google, you can find more memory content extractors, see:
APsoft's memdump - this tool gets you the whole system memory
Metasploit's MemDump - added a few months, offers similar functionalities as the tool PMDump
Microsoft's userdump - generates a user dump of a process by shutting it down, by throwing an exception or by making it stop responding, yes it is a bit aggressive.

Later found, that this is a very common bad-practice, followed by software developers who accidentally or unknowingly fail to scrub the password from a memory buffer after authentication, and sadly many software applications fall to this category; to name a few but not limited to these see PuTTY v0.53b, ActivCard, standalone Flash programs and other IMs.

I think it worths noting here that the problem is even bigger with applications that store user's credentials permanently on the physical disk in unencrypted form, see for exampe the recent Intel BIOS Disclosure and regular security posts regarding web server traversals which may result in arbitrary file access.

Now 5 years or so later, I have decided to repeat the experiment and see if things have changed since then, will blog-post the findings soon.