Cleartext Passwords in Linux Memory
Jun 11th, 2008 by sherri
During the last few months I’ve investigated Linux memory, and consistently found cleartext passwords– including my login, SSH, email, IM, Truecrypt, and root passwords. The following paper includes details regarding each password’s location in memory and surrounding context.
Cleartext Passwords in Linux Memory
Given the recent developments with cold boot memory dumping, the risk associated with cleartext passwords and other sensitive data in memory has significantly increased. Last week at HOPE Jacob Appelbaum released some of the cold boot tools which the Princeton, EFF and Wind River team used to dump and analyze memory.
My hope is that detailed information about cleartext passwords will be useful to forensic examiners and the Linux development community. For folks who would like to examine the data for themselves, below are a some snippets of process memory that I collected from my Ubuntu test system.
Each zipfile contains a pcat capture of process memory, as well as files containing the Ascii and Unicode strings. In the GDM process memory, you’ll find the login username, password, and shadow file information. In the Truecrypt process memory, you’ll find the volume location, password, and the command used to mount it. There’s other interesting stuff in there as well.
GDM process memory (.zip, 6.0M)
login username: myname1
password: !1MyPwd1!
Truecrypt process memory (.zip, 7.5M)
volume location: /home/myname1/Desktop/tcvol
password: !mytcvol!
shell command: truecrypt Desktop/tcvol)
Sherri Davidoff
Have you done any similar research to find the encryption keys in memory (in particular for TrueCrypt)? With the LRW encryption mode (a deprecated mode that TrueCrypt still supports for existing encrypted partitions), if you encrypt the tweak key with itself, it’s possible to leak the key. I’d be curious about cases where the TrueCrypt memory is swapped out to an encrypted swap file.
I haven’t specifically examined encryption keys in memory, because the Princeton/EFF/Wind River team has already been studying that in-depth (specifically including Truecrypt). It’s a fascinating topic, and I’m looking forward to hearing more of their research. I believe they’ll be presenting at USENIX next week.
If you are interested in finding TrueCrypt keys in memory, you may want to check out the whitepaper from our BlackHat presentation:
http://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf
AW: Very interesting! I’ve just downloaded it and I’m looking forward to reading it. Thanks!
[...] To read Sherri’s post please visit http://philosecurity.org/research/cleartext-passwords-linux [...]