Vulnerability Development mailing list archives
Re: Getting passwords from the heap?
From: "Jason R. Seats" <Jason.Seats () TechGuardSecurity com>
Date: Wed, 27 Jun 2001 10:25:13 -0500
Dennis McHenry wrote:
From: "Felix von Leitner" <leitner () vim org>This wasn't perchance a Microsoft operating system you were using?It's been a while since I've done C for a win system, but as I recall Malloc returns zeroed-out chunks. My response to Jason's point, though, is that if a program doesn't handle sensitive information in a prudent manner (preventing it from being swapped to disk, overwriting the memory space where it was stored, etc.), the information could indeed be in memory. I'd label this as a programming error for the application that left it's sensitive info. sitting around, rather than an OS problem (I don't recall Windows saying it wiped memory after closing applications). If you're using a win box, you can use debug to examine memory remnants.
If you are using the debug version of the C-runtime libs for Windows, freed memory is set to a characteristic value so that you can recognize if you are ever de-referencing a pointer into freed memory (0x45 is think). You can use the debugger to watch Release built applications memory in a realistic way though. -- Jason Seats Information Security Software Engineer TechGuard Security jason.seats () techguardsecurity com www.techguardsecurity.com 636-519-4848
Current thread:
- Getting passwords from the heap? Jason Spence (Jun 26)
- Re: Getting passwords from the heap? Felix von Leitner (Jun 26)
- Re: Getting passwords from the heap? Dennis McHenry (Jun 27)
- Re: Getting passwords from the heap? Jason R. Seats (Jun 27)
- RE: Getting passwords from the heap? Vladimir Kraljevic (Jun 27)
- Re: Getting passwords from the heap? Dennis McHenry (Jun 27)
- Re: Getting passwords from the heap? H D Moore (Jun 26)
- Re: Getting passwords from the heap? Jason Spence (Jun 27)
- Re: Getting passwords from the heap? H D Moore (Jun 27)
- Re: Getting passwords from the heap? Aigars Grins (Jun 27)
- Re: Getting passwords from the heap? Jason Spence (Jun 27)
- Re: Getting passwords from the heap? ian (Jun 28)
- Re: Getting passwords from the heap? Jason Spence (Jun 27)
- Re: Getting passwords from the heap? Felix von Leitner (Jun 26)
- Source code of the Sadmin Worm Cabezon Aurélien [iSecureLabs] (Jun 27)
- <Possible follow-ups>
- RE: Getting passwords from the heap? Michael Wojcik (Jun 27)