====================================================================================
Multiple Windows Applications | Unencrypted Sensitive Information Storage in Memory 
====================================================================================

CWE-316: Plain-text Storage in Memory (http://cwe.mitre.org/data/definitions/316.html)
Attack Phase: Post-Exploitation
Activity Class: Sensitive Data Harvesting


1. OVERVIEW

An insecure application development practice is still prevalent in popular applications that load sensitive information (i.e. user credentials) unencrypted in their respective process memory. Remote attackers who compromise a user's system or malicious softwares could scan a particular process memory for sensitive information. 


2. AFFECTED SOFTWARES

- iTunes (Tested on 10.x)
- pfingoTalk (Tested on version: 4.x)
- pidgin (Tested on version: 2.x)
- Tencent QQ (Tested on version: QQ2009 SP3)
- zFTP Server (Tested on version: 2011-04-13)
- FileZilla (Tested on version 3.x)
- ...

3. PROOF-OF-CONCEPT/EXPLOIT

	- a) pmdump.exe [Process ID] Process.dump
	- b) bin_find.py Process.dump [Password/Username] 
			or 
		 strings.exe -a -n 5 Process.dump


4. CREDIT

This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


5. REFERENCES

Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/%5Bmultiple-apps%5D_plain-text_storage_in_memory
pmdump: http://ntsecurity.nu/toolbox/pmdump/
bin_find.py : http://core.yehg.net/lab/pr0js/tools/bin_find.py
http://core.yehg.net/lab/pr0js/training/view/CWE-316_plaintext-storage-in-memory/
http://www.metasploit.com/modules/post/windows/gather/memory_grep/
http://carnal0wnage.attackresearch.com/2009/03/dumping-memory-to-extract-password.html


#yehg [2012-08-22]