Master password stored in CLEARTEXT into the system RAM after being entered [ASM]




8 years ago
8 years ago


(Reporter: Peter Petrov, Unassigned)


Firefox Tracking Flags

(Not tracked)




(1 attachment)



8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; bg; rv: Gecko/20091201 Firefox/3.5.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; bg; rv: Gecko/20091201 Firefox/3.5.6

After loading up Firefox AND entering the master password, it gets saved in CLEARTEXT into the proccess's address space, this way, being visible with full RAM dump of the Firefox proccess.

Reproducible: Always

Steps to Reproduce:
1. Boot up Firefox
2. Enter your master password.

--- assuming that this is no longer you, but someone else or a malware: ---
3. Dump the Firefox.exe's RAM to file or open it into the debugger.
4. Do a search for it - it WILL be there.
Actual Results:  
Step 4: You can see the password in cleartext into the system RAM. This way, a Virus that dumps firefox's RAM must really screw some users up.

Expected Results:  
At step 4: The password should NOT be found into the dump. That it, it must be saved in a different way into system RAM.

In order to keep the password into the system RAM, find a way to encrypt it into the RAM, and decrypt it before entering it into a textfield or sending it over, so hackers can't just decrypt it easily. About the algorithm, to encrypt it use some random key, for example user's IP address or MAC address.... and do not keep it into the RAM when no longer needed. This way, dumpers won't have any chance to get the master password.

Built from
Build platform

Build tools
Compiler 	Version 	Compiler flags
cl 	14.00.50727.762 	-TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
cl 	14.00.50727.762 	-GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1

Configure arguments
--enable-application=browser --enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-official-branding --with-crashreporter-enable-percent=10

Comment 1

8 years ago
Created attachment 421570 [details]
Screen shot showing my master password used for last testcase, marked in RED
This is a losing game; some flavor of the password (or values derived from it) has to remain usable in memory so that operations requiring the master password to have been entered can be performed. Trying to obscure the value just leads to extra complexity that's fairly trivial to defeat for an attacker with access to a memory dump.

Comment 3

8 years ago
However, encryptin g with combination of known algorithms that are already implemented into Firefox and decrypting before reuse will make the master password not clearly visible all the time. As a member of Cracking group I always analyze how apps store their data. At least, newb hackers will be unable to decrypt the dump if encrypted :)
Interesting that this and bug 539608 were filed hours apart.  This is probably WONTFIX, but I'll let at least one more person concur before resolving the bug.


8 years ago
Group: core-security
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 539608
You need to log in before you can comment on or make changes to this bug.