CWE-316: Plain-text Storage in Memory (http://cwe.mitre.org/data/definitions/316.html) Attack Phase: Post-Exploitation Activity Class: Sensitive Data Harvesting 1. OVERVIEW An insecure application development practice is still prevalent in popular applications that load sensitive information (i.e. user credentials) unencrypted in their respective process memory. Remote attackers who compromise a user's system or malicious softwares could scan a particular process memory for sensitive information. 2. AFFECTED SOFTWARES - iTunes (Tested on 10.x) - pfingoTalk (Tested on version: 4.x) - pidgin (Tested on version: 2.x) - Tencent QQ (Tested on version: QQ2009 SP3) - zFTP Server (Tested on version: 2011-04-13) - FileZilla (Tested on version 3.x) - ... 3. PROOF-OF-CONCEPT/EXPLOIT - a) pmdump.exe [Process ID] Process.dump - b) bin_find.py Process.dump [Password/Username] or strings.exe -a -n 5 Process.dump 4. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 5. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/%5Bmultiple-apps%5D_plain-text_storage_in_memory pmdump: http://ntsecurity.nu/toolbox/pmdump/ bin_find.py : http://core.yehg.net/lab/pr0js/tools/bin_find.py http://core.yehg.net/lab/pr0js/training/view/CWE-316_plaintext-storage-in-memory/ http://www.metasploit.com/modules/post/windows/gather/memory_grep/ http://carnal0wnage.attackresearch.com/2009/03/dumping-memory-to-extract-password.html