Like with all coredumps, this is normal. I don't see why there's such a
fuss
about this. Of course it contains your password, even if you uncheck the
"save password" box: it needs to have your password in memory somewhere to
connect to ICQ, right?

Even on Unix this is standard behaviour, maybe you could write an exploit
about having your passwords in /proc/kmem?

And you say this:
  [Wuld it be possible that all programs that use passwords would print them
  in plaintext in a USER.DMP when they crash. Food for thought...tasty]

It totally depends on how the process stores it in memory, even then,
protocols
who need plaintext passwords are always vulnerable to this, if you encrypt
the
password in memory, you mostly have every other detail which you need to
decrypt
it again in memory too. Still this is not a bug and is not ICQ-specific.
Like always: coredumps should be set mode 600 and root processes should not
ever
dump core. This is Dr.Watsons problem.

The date (1 jan 2038) is when the unix-time overflows its unsigned long and
begins at 0 again.

Next time save us the greets, please.

[TRi]

-----Original Message-----
From: Ettore Caprella [mailto:ettore.caprellaCSELT.IT]
Sent: Monday, April 02, 2001 7:33 PM
To: VULN-DEVSECURITYFOCUS.COM
Subject: R: ICQ crash-dump stores PLAINTEXT password. (creepy)

Last week also my Win2k crashed. Win2K created an all memory dump file and
inside there were my passwords (ICQ, Pop).
I don't know if this is a Win2k bug or application bug but I think this is
not a good thing.
The application, when it uses a password, should clear the string in memory
fills it with zeros.

Sorry for my English.

Bye Ettore

-----Messaggio originale-----
Da: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]Per conto di -No
Strezzz Cazzz
Inviato: lunedì 2 aprile 2035 1.56
A: VULN-DEVSECURITYFOCUS.COM
Oggetto: ICQ crash-dump stores PLAINTEXT password. (creepy)

Made in Holland
PCP/A #0008 (pr0ph)

ICQ crash-dump stores PLAINTEXT password. (creepy)

This advisory is very similair to my PCP/A #0004 (NT stores passwords in
plaintext). This was sent posted on Vuln-Dev on 3/21/01. However the
Vuln-Dev archives on Securityfocus have a gap, it doesn't contain the
messages posted between 03/20/01 and 03/24/01. You can still find it on the
Win2ksecadvise mailinglist archive:
http://www.ntsecurity.net/go/win2ks-l.asp?A2=IND0103C&L=WIN2KSECADVICE&P=562

[I use bogus passwords in this advisory, for privacy reasons =]

Okay here we go. While I was playing with my system clock I put the year on
2099 for fun. A few seconds after that I got the following "Dr. Watson for
Windows NT" error:

"An application error has occured and an application error log is being
generated.

icq.exe
Exception: access violation: (0xc0000005), Address: 0x2020128f"

I thought: "sw33t, another bug". And here I am. I changed the date back to
normal and restarted ICQ. I kept changing the date until I knew at what date
ICQ will crash: the 1st of January, 2038.

[When I informed a friend of this bug she told me that during the
"millennium-bug-hype MS released some advisories on "dangerous dates". She
told me 2029 and 2038 where mentioned in the text]

Lets get baq to traqqing. I still remembered my text on POP3 and dial-up
passwords being stored in plaintext in a USER.DMP file I wrote. (Dr. Watson
will create a USER.DMP-file each time a user-mode program crashes). The
USER.DMP that was created when ICQ crashed was located in my WINNT
directory. I wondered if this would perhaps also store some interesting
info, like my password. I opened it up and used Search/Find/"pazzzw0rd" to
see if it contained my ICQ password. Well....!t d!d !

Its hard to find a password in 16-20 MB of text if you don't know what
you're looking for. So here's what I can tell you about the location of the
password:

In all the USER.DMP's I created sofar by crashing ICQ my ICQ password showed
up either 2 or 3 times. Altough I created all USER.DMP's in the same way
(crashing ICQ by setting the date to 2038) their sized varied from 16-20
MB. The ICQ password was stored in this format: "ICQpazzzw0rd". On one
occasion it showed up with a space between each letter, like: "I C Q p a z z
z w 0 r d". I will show you the lines where it showed up in my last
USER.DMP:

[~
lñ
LAST MESSAGE I RECEIVED BEFORE ICQ CRASHED HERE0 A ¨R
d w

w y
ay. ! Ð... EUR~
�~
à´? ~

! A
¹|
H¹|
òr t¨
<¹|
 4­
$¹|
4* ´§
|»|
Z- ´«
A  ICQpazzzw0rd

 EUR L~
tñ
web.icq.com/client/ate/ad-handler/0,,clspl_de,00.htm
Gray ñ
P 1 8"
Ðf'  h"' Ðf' EUR 
ICQpazzzw0rd

 ! (?! ts �²?

As you can see it is stored 2 times, close to eachother. As you can see it
is beneath the last message I received before I crashed my ICQ. The password
will ALWAYS show up very close to the last message that was received before
ICQ crashed. Note that the passwords always stored up in the upper 10% of
the USER.DMP file. Use "wordwrap" to read it from up to down when needed.

Sometimes it was stored near words like "User" and "Password", but it is
ALWAYS very close (a few lines below) to the last message you received.

Solution: If you uncheck "save password" in your ICQ this will NOT help. In
fact the times that I unchecked "save password" and crashed ICQ, my password
showed up 6 times in the USER.DMP file! What would be the best thing to do
here is to Uncheck the "create crash dump file" checkbox in drwtsn32.exe
(assuming you run NT). Or you can change the location that your debugger
will writes its dumps to to a directory that only you can access. [thanks to
Craig Boston for pointing this out]

Well happy hunting. Btw, I did not only notice that ICQ will crash when you
put your clock years ahead, other applications like Norton crashed too.
These programs cannot be restarted until the date is set back to "normal"
again. Kids chatting you poor on 57, 600 bps? Set the date to 2038.
Wait....I didn 't say that. Anyway I'll try if I can write up an interesting
advisory on this.

This is tested on Windows NT4 Workstation with Service Pack 4.

***
[lame stuff snipped]

-No Strezzz Cazzz, Powered By UN0X

Vengeance is here, its time to ressurect. Anger without ph34r: The Bulld0zer
Project...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]