Re: Credentials held unencrypted in memory during runtime

On 11.04.2011 14:08, Annamalai wrote:
> Hi,
>
> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the memory
> during runtime, The sensitive information (e.g. password) is loaded into
> a variable during the authentication phase. The variable is not cleared
> after the initial use. It is possible to extract the TortoiseSVN strings
> stored in memory and obtain a valid password.
>
> *Testing Evidence : *Using readily available tools, the variables are
> extracted from memory. The password used for authentication remains
> within the variable after use.
>
> *FYI : We tested this in Tortoise SVN 1.6.15*
>
> Please let us know is security issue fixed in the upcoming release.

You have a very strange definition of "security issue".
If someone is able to read the memory from a process, then that someone
has all the privileges necessary to do much more on that system. Reading
a password is in such a situation the least of your problems.
The security issue would be that this someone can actually read the
process memory from another process.

Here are a few pointers for you:
http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/592350.aspx
http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/8080140.aspx
http://blogs.msdn.com/b/oldnewthing/archive/2010/09/02/10057047.aspx

So next time, don't cry wolf unless your absolutely sure there's a wolf.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718903
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].