Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread Jaroslaw Sajko
pagvac wrote: Title: Google Talk Beta Messenger cleartext credentials in process memory Description Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005 (two days after the release of Google

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread 6ackpace
Hi, If i am right Google Talk Beta Messenger cleartext credentials in process memory still exist onthe current version. googles answer for this issue: plainchar - hex char 6ackpace On 11/29/05, Jaroslaw Sajko [EMAIL PROTECTED] wrote: pagvac wrote: Title: Google Talk Beta Messenger cleartext

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread pagvac
Personally I only tested the patched version by searching for the ASCII (decimal) representation of my own password. In other words, I searched for mypassword with a hex editor, rather than its hexadecimal representation 6d7970617373776f7264 If what you're saying is that all Google did is change

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread Nasko Oskov
On Tue, Nov 29, 2005 at 11:57:00AM +0100, Jaroslaw Sajko wrote: pagvac wrote: Jaroslaw, thanks for your post. You're right, the same issue occurs in *many* applications. However, any vendor that is serious about security will at least attempt to obfuscate the credentials in memory

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread Jaroslaw Sajko
Nasko Oskov wrote: If you want to protect the credentials in memory from dumps that go to Microsoft, why not use CryptProtectMemory() instead of home-grown obfuscation? This function encrypts the memory with a key that changes over reboots, so even if you send a dump to MS, they wouldn't know

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread Georgi Guninski
On Tue, Nov 29, 2005 at 01:11:47PM -0500, Nasko Oskov wrote: If you want to protect the credentials in memory from dumps that go to Microsoft, why not use CryptProtectMemory() instead of home-grown obfuscation? This function encrypts the memory with a key that changes over reboots, so even

Re: [Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-29 Thread Kurt Grutzmacher
Nasko Oskov wrote: If you want to protect the credentials in memory from dumps that go to Microsoft, why not use CryptProtectMemory() instead of home-grown obfuscation? This function encrypts the memory with a key that changes over reboots, so even if you send a dump to MS, they wouldn't know

[Full-disclosure] Google Talk cleartext credentials in process memory

2005-11-28 Thread pagvac
Title: Google Talk Beta Messenger cleartext credentials in process memory Affected versions: 1.0.0.64 (this version is believed to be the first one released to the public) Vendor contacted: 25/08/05 Patched version released: 29/08/05 Advisory released: 28/11/05 Author: pagvac (Adrian Pastor)