[Alpine-info] Alpine .pine-passfile

damion.yates at gmail.com damion.yates at gmail.com
Fri Oct 31 04:48:14 PDT 2008

Previous message: [Alpine-info] Newbi - POP3
Next message: [Alpine-info] Security bug in tmail and dmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 Sep 2008, damion.yates at gmail.com wrote:

> On Thu, 25 Sep 2008, Steve Hubert wrote:

>

> > > I too was recently quite worried that somebody might root my box and

> > > gdb -p <processID_of_alpine>

> > > ...then work some voodoo and pull the plain text password from ram.

And I found somebody who managed:

>From robert at XXXXX.com Wed Oct 29 22:28:30 2008

Date: Wed, 29 Oct 2008 22:28:29
From: Robert XXXXX <robert at XXXXX.com>
To: Damion Yates <damion at PERSONALDOMAIN>
Subject: Re: [Gllug] Disconnected ssh sessions and pseudo-terminals

On Wed, Oct 29, 2008 at 8:00 AM, Damion Yates <damion at trap.me.uk> wrote:

> On Tue, 28 Oct 2008, Robert McKay wrote:

>

> [snipped useful technical stuff]

>

>> (so attach to 2998)

>>

>> (gdb) call malloc(1024)

>> $1 = -2147044680

>> (gdb) call strcpy($1, ":q!\n")

>> $2 = -2147044680

>> (gdb) call write(10, $1, 4)

>> $3 = 4

>

> [snipped more techy guruness :)]

>

> You sound like the sort of person who would know how to attach to a

> running process and examine strings from pointers to extract passwords?

>

> I want to know how secure my alpine session is from somebody else who is

> root on the box, attaching and examining parts of it in runtime.

Nothing is safe from root.

> I couldn't find much on teh interweb about such a hack. Is this

> something you've done before?

Never, but it sounds pretty trivial. With root access you can do
pretty much whatever you want to a process so there's no way to defend
against this kind of thing.

I've downloaded the alpine source..

The login/password/hosts information is cached in a global variable
called mm_login_list. I compiled it with CFLAGS=-ggdb3 and it seems
like after starting an alpine and attempting to login to a remote pop3
mailbox I can then attach to the process and just do this:

(gdb) print mm_login_list[0].user
$27 = 0x85a29f0 "rm"
(gdb) print mm_login_list[0].passwd
$28 = 0x8483de1 "abcd1234"
(gdb) print mm_login_list[0].hosts[0]
$29 = {name = 0x854b910 "mailserver.com", next = 0x0}

I'm not sure what the best way to get the address of mm_login_list if
it wasn't compiled with debugging symbols but it wouldn't be that
hard.

Cheers,

Rob.

Previous message: [Alpine-info] Newbi - POP3
Next message: [Alpine-info] Security bug in tmail and dmail
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list