[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Credentials held unencrypted in memory during runtime

From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Mon, 11 Apr 2011 12:15:16 -0500

I would agree that it is a security vulnerability, but, yes, the risk is low.

It would be a "Sensitive Data Protection Vulnerability"
https://www.owasp.org/index.php/Category:Sensitive_Data_Protection_Vulnerability
The first example even:
"Information leakage results from insufficient memory clean-up"

Example of other programs that go to lengths to protect in-memory sensitive information:
http://keepass.info/features.html

I read an article a few weeks ago around the time of the RSA incident that mentioned the fastest growing threat in recent months is actually advanced persistent threats that perform in-memory scraping to capture credentials (sorry, can't find the exact link again else I'd provide it).

Yes, if a system is compromised then you've got problems, but that's the whole point of a defense-in-depth strategy -- protections in one layer or area can help minimize the impact of a breach in another area should one occur. Most programming language frameworks or APIs return sensitive data in mutable character arrays rather than immutable types specifically so the data can be overwritten as soon as it's no longer needed to avoid having sensitive data left floating around memory...

FWIW, I'd vote for this bug.

-----Original Message-----
From: Stefan Küng [mailto:tortoisesvn_at_gmail.com]
Sent: Monday, April 11, 2011 11:49 AM
To: users_at_tortoisesvn.tigris.org
Subject: Re: Credentials held unencrypted in memory during runtime

On 11.04.2011 14:08, Annamalai wrote:
> Hi,
>
> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the
> memory during runtime, The sensitive information (e.g. password) is
> loaded into a variable during the authentication phase. The variable
> is not cleared after the initial use. It is possible to extract the
> TortoiseSVN strings stored in memory and obtain a valid password.
>
> *Testing Evidence : *Using readily available tools, the variables are
> extracted from memory. The password used for authentication remains
> within the variable after use.
>
> *FYI : We tested this in Tortoise SVN 1.6.15*
>
> Please let us know is security issue fixed in the upcoming release.

You have a very strange definition of "security issue".
If someone is able to read the memory from a process, then that someone has all the privileges necessary to do much more on that system. Reading a password is in such a situation the least of your problems.
The security issue would be that this someone can actually read the process memory from another process.

Here are a few pointers for you:
http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/592350.aspx
http://blogs.msdn.com/b/oldnewthing/archive/2008/03/14/8080140.aspx
http://blogs.msdn.com/b/oldnewthing/archive/2010/09/02/10057047.aspx

So next time, don't cry wolf unless your absolutely sure there's a wolf.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718903
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
-----Message Disclaimer-----
This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect_at_principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.
Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.
While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718906
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-11 19:15:28 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.