This is a known issue and has been a topic of recnet discuassion in
bugtraq itself. With workarounds posted as to how to make this less of an
issue...

Thanks,

Ron DuFresne

On Mon, 2 Apr 2001, Ettore Caprella wrote:

> Last week also my Win2k crashed. Win2K created an all memory dump file and inside there were my passwords (ICQ, Pop).
> I don't know if this is a Win2k bug or application bug but I think this is not a good thing.
> The application, when it uses a password, should clear the string in memory fills it with zeros.
>
> Sorry for my English.
>
> Bye Ettore
>
> -----Messaggio originale-----
> Da: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]Per conto di -No
> Strezzz Cazzz
> Inviato: lunedì 2 aprile 2035 1.56
> A: VULN-DEVSECURITYFOCUS.COM
> Oggetto: ICQ crash-dump stores PLAINTEXT password. (creepy)
>
>
> Made in Holland
> PCP/A #0008 (pr0ph)
>
>
> ICQ crash-dump stores PLAINTEXT password. (creepy)
>
>
> This advisory is very similair to my PCP/A #0004 (NT stores passwords in
> plaintext). This was sent posted on Vuln-Dev on 3/21/01. However the
> Vuln-Dev archives on Securityfocus have a gap, it doesn't contain the
> messages posted between 03/20/01 and 03/24/01. You can still find it on the
> Win2ksecadvise mailinglist archive:
> http://www.ntsecurity.net/go/win2ks-l.asp?A2=IND0103C&L=WIN2KSECADVICE&P=562
>
>
> [I use bogus passwords in this advisory, for privacy reasons =]
>
> Okay here we go. While I was playing with my system clock I put the year on
> 2099 for fun. A few seconds after that I got the following "Dr. Watson for
> Windows NT" error:
>
> "An application error has occured and an application error log is being
> generated.
>
> icq.exe
> Exception: access violation: (0xc0000005), Address: 0x2020128f"
>
> I thought: "sw33t, another bug". And here I am. I changed the date back to
> normal and restarted ICQ. I kept changing the date until I knew at what date
> ICQ will crash: the 1st of January, 2038.
>
> [When I informed a friend of this bug she told me that during the
> "millennium-bug-hype MS released some advisories on "dangerous dates". She
> told me 2029 and 2038 where mentioned in the text]
>
>
> Lets get baq to traqqing. I still remembered my text on POP3 and dial-up
> passwords being stored in plaintext in a USER.DMP file I wrote. (Dr. Watson
> will create a USER.DMP-file each time a user-mode program crashes). The
> USER.DMP that was created when ICQ crashed was located in my WINNT
> directory. I wondered if this would perhaps also store some interesting
> info, like my password. I opened it up and used Search/Find/"pazzzw0rd" to
> see if it contained my ICQ password. Well....!t d!d !
>
> Its hard to find a password in 16-20 MB of text if you don't know what
> you're looking for. So here's what I can tell you about the location of the
> password:
>
> In all the USER.DMP's I created sofar by crashing ICQ my ICQ password showed
> up either 2 or 3 times. Altough I created all USER.DMP's in the same way
> (crashing ICQ by setting the date to 2038) their sized varied from 16-20
> MB. The ICQ password was stored in this format: "ICQpazzzw0rd". On one
> occasion it showed up with a space between each letter, like: "I C Q p a z z
> z w 0 r d". I will show you the lines where it showed up in my last
> USER.DMP:
>
> [~
lñ
LAST MESSAGE I RECEIVED BEFORE ICQ CRASHED HERE0 A ¨R
d w
>
w y
ay. ! Ð… €~
�~
à´† ~

! A
> ¹|
H¹|
òr t¨
<¹|
 4­
$¹|
4* ´§
|»|
Ž- ´«
A  ICQpazzzw0rd
>
 € L~
tñ
web.icq.com/client/ate/ad-handler/0,,clspl_de,00.htm
> Gray ñ
P 1 8"
Ѓ’  h„’ Ѓ’ €  ICQpazzzw0rd
>
 ! (‰! ts �²†
>
> As you can see it is stored 2 times, close to eachother. As you can see it
> is beneath the last message I received before I crashed my ICQ. The password
> will ALWAYS show up very close to the last message that was received before
> ICQ crashed. Note that the passwords always stored up in the upper 10% of
> the USER.DMP file. Use "wordwrap" to read it from up to down when needed.
>
> Sometimes it was stored near words like "User" and "Password", but it is
> ALWAYS very close (a few lines below) to the last message you received.
>
> Solution: If you uncheck "save password" in your ICQ this will NOT help. In
> fact the times that I unchecked "save password" and crashed ICQ, my password
> showed up 6 times in the USER.DMP file! What would be the best thing to do
> here is to Uncheck the "create crash dump file" checkbox in drwtsn32.exe
> (assuming you run NT). Or you can change the location that your debugger
> will writes its dumps to to a directory that only you can access. [thanks to
> Craig Boston for pointing this out]
>
> Well happy hunting. Btw, I did not only notice that ICQ will crash when you
> put your clock years ahead, other applications like Norton crashed too.
> These programs cannot be restarted until the date is set back to "normal"
> again. Kids chatting you poor on 57, 600 bps? Set the date to 2038.
> Wait....I didn 't say that. Anyway I'll try if I can write up an interesting
> advisory on this.
>
> This is tested on Windows NT4 Workstation with Service Pack 4.
>
> Try it yourself en please let us know the results (if they vary from the
> results mentioned above). Please mail us at:
>
> Special_Projectscazzz.demon.nl (The Lab)
> Industrial_Strengthcazzz.demon.nl (The Exploiters)
>
>
> Another fine Planet Cazzz Production/Advisory. In association with The
> Nations Top. We cannot be held responsible for your actions, but you can
> try. Made in Holland. PCP/A #0008 (pr0ph)
>
> We want to say hell0 to all the Crackers, the Hackers and the Phreax. We
> want to say hell0 to all the people in this place. We want to say hell0 to
> all the Sinners and 31337. We say hell0 to all the people in the world...
>
> [Wuld it be possible that all programs that use passwords would print them
> in plaintext in a USER.DMP when they crash. Food for thought...tasty]
>
>
>
> -No Strezzz Cazzz, Powered By UN0X
>
> Vengeance is here, its time to ressurect. Anger without ph34r: The Bulld0zer
> Project...
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]