Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure Password handling #84

Closed
Belatronix opened this issue Jun 8, 2016 · 1 comment
Closed

Insecure Password handling #84

Belatronix opened this issue Jun 8, 2016 · 1 comment
Milestone
1.0

Comments

@Belatronix
Copy link
Contributor

Belatronix commented Jun 8, 2016
edited
Loading

Hi,

i would like to discuss a possible security issue that i see inside of the Nitrokey App.

I will show it at the following piece of code outside of stick20changepassworddialog.cpp on Line 236

void DialogChangePassword::Stick10ChangePassword(void) {
int ret;

int password_length;
// this is rubbish - replace all occurences of password_length with the Macro
// STICK10_PASSWORD_LEN
QByteArray PasswordString;
password_length = STICK10_PASSWORD_LEN;
unsigned char old_pin[password_length + 1];
unsigned char new_pin[password_length + 1];

memset(old_pin, 0, password_length + 1);
memset(new_pin, 0, password_length + 1);

-> Here it starts!!!!

PasswordString = ui->lineEdit_OldPW->text().toLatin1();
strncpy((char *)old_pin, PasswordString.data(), password_length);

-> copying the Plain! Password unhashed into the memory.

PasswordString = ui->lineEdit_NewPW_1->text().toLatin1();
strncpy((char *)new_pin, PasswordString.data(), password_length);

-> copying the new Plain! Password also unhashed into the memory
-> since here a possible Attack can fish the old and the new password.

// Change password
if (PasswordKind == STICK10_PASSWORD_KIND_ADMIN)
ret = cryptostick->changeAdminPin(old_pin, new_pin);
else // if ( PasswordKind == STICK10_PASSWORD_KIND_USER )
ret = cryptostick->changeUserPin(old_pin, new_pin);

if (ret == CMD_STATUS_WRONG_PASSWORD) {
csApplet->warningBox(tr("Wrong password."));
} else if (ret != CMD_STATUS_OK) {
csApplet->warningBox(tr("Couldn't change %1 password")
.arg((PasswordKind == STICK10_PASSWORD_KIND_USER) ? "user" : "admin"));
}
}`
-> Amazing! Both of the passwords are still exist in the Memory to get fished
-No deleting or something else-

My suggestions about a possible solution:
1.) The Passwords has to be cleaned out of the memory urgently after use. In this Case the method cryptostick->changeAdminPin() also makes a copy of the Plain Password Memory.
2.) They have to be stored hashed - and not in one place, even better fragmented - inside of the memory.

Axel
@szszszsz szszszsz added this to the 1.0 milestone Apr 14, 2017
@szszszsz
Copy link
Member

This is fixed in v1.0. Passwords are handled now more securely and it should be now harder to find them in the released memory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
2 participants
@Belatronix @szszszsz