Thursday, June 23, 2005

Clear Text Password Vulnerability in Mail Clients

Clear Text Password Vulnerability in Common Mail Clients on Windows
Statement from GWAVA: Issue Date: June 21, 2005
Author: Joe Bertnick

Overview:
Passwords stored in memory as clear text for multiple mail systems operating on Windows desktops.

Affected Systems:
Outlook 2003
GroupWise 6.5.4 (Windows Client Only)
Thunderbird 1.02 (Windows Client Only)

Note: Other messaging clients operating under the Windows XP platform might also exhibit this vulnerability as it is very common. Please refer to the Recommendations for best practices for reducing your risk for exposure.

Impact:
Unrestricted access to the mailbox of a single user and possible password usage on other directory enabled systems.

Details:
This issue was first reported via insecurity.org by the security team at truedson.com as a vulnerability in GroupWise. A link follows with the original posting.

GWAVA Security Research elected to further research the vulnerability along multiple mail platforms and provide a work around for customers.

There are a number of applications that cache authentication information in memory as plain text. GroupWise, Outlook and Thunderbird mail clients all operate in this manner. With a client loaded into memory and authenticated to the mail system, someone could execute a memory dump of the application and recover the password. The password will always be located at the same offset.

This is a common vulnerability in many client applications operating on the Windows operating system and as such users of Windows should follow the recommendations listed below.

Recommendations:
Implement screen saver password protection and log out of mail clients when leaving your workstation unattended. Install the patch when it is made available by the vendor. Migrating to Linux based Desktops such as Novell Linux Desktop would also prevent this issue.

References:
Original Posting: http://seclists.org/lists/fulldisclosure/2005/Jun/0262.html