PGP with Outlook Stores Password Pass Phrases in the Clear
31 Mar. 2002
Summary
Outlook can be integrated to use PGP. The integration allows users to almost seamlessly encrypt and decrypt emails, sign content, and use PGP's features without the hassle of a 3rd-party front-end. A security vulnerability has been found that would allow a local attacker to gain access to the pass phrase used by the user by analyzing the memory core dump caused by the crashing Outlook client.
Credit:
The information has been provided by NtWaK0.
By default everyone can read at least, drwtsn32.log located in:
Under Windows 2000, it is located at:
C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log
Under Windows NT, it is located at:
C:\Winnt\System32\drwtsn32.log
Whenever the Outlook (with PGP integrated into it) client crashes it will core dump its memory content into a file (drwtsn32.log), this file has been found to contain the password used by the encrypting user in plain text.
Example drwtsn32.log:
function: TranslateMessageEx
77e1323a 0f8500c40200 jne EnumDesktopWindows+0xd88 (77e3f640)
77e13240 33c0 xor eax,eax
77e13242 c20800 ret 0x8
77e13245 ff742408 push dword ptr [esp+0x8] ss:043bd52b=??
77e13249 51 push ecx
77e1324a e8b7370000 call GetKeyState+0x92 (77e16a06)
77e1324f ebf1 jmp DialogBoxIndirectParamAorW+0x6ba
(77e1eb42)
77e13251 b89a110000 mov eax,0x119a
77e13256 8d542404 lea edx,[esp+0x4] ss:043bd52b=?
77e1325a cd2e int 2e
77e1325c c21000 ret 0x10
