Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Vulnerability in Credant Mobile Guardian Shield for Windows

from [myucebox] Network Security [Permanent Link]
Subject: Vulnerability in Credant Mobile Guardian Shield for Windows
Date: 24 May 2007 13:23:44 -0000 
Vulnerability in Credant Mobile Guardian Shield for Windows

Vendor: Credant Technologies Inc. http://www.credant.com/

Product: Credant Mobile Guardian Shield for Windows

Version: 5.2.1.105 (and prior)

Affected Operating Systems: Windows XP SP2 (and likely others)

Product Overview:

Credant Technologies markets the Credant Mobile Guardian Shield for Windows as 
part of their data security solution for mobile devices. The product is 
installed on a mobile device (e.g. Laptop). The shield receives its policy from 
a centralized server which dictates the encryption settings as defined by the 
Credant administrator. Credant Technologies has trademarked their encryption 
approach as ?Policy based Intelligent Encryption?; this means that the product 
does not provide full disk encryption. This approach allows the Credant 
administrator to dictate what files and directories are to be encrypted e.g. 
All .doc files regardless of directory, and all files in the ?My Documents? 
folder. By default, Credant does not encrypt the paging file, operating system 
files, or slack space to improve performance.

Vulnerability Details:

A serious security flaw is present in Credant Mobile Guardian Shield for 
Windows versions 5.2.1.105 and prior.  Several instances of the users Windows 
Domain name, Domain username, and password are stored in plain text within the 
memory (RAM) of the mobile device. This risk is compounded by the fact that the 
Windows paging file is not encrypted per default settings. The unencrypted 
paging file would likely contain the plain text Windows Domain credentials as 
well.

Attack Scenario?s:

1) Offline attack: A lost or stolen device would allow as attacker to search 
the paging file with the goal of obtaining the plaintext Domain credentials, 
once obtained the attacked could simply boot the device and login thereby 
gaining complete access to the encrypted data. 

2) Online attack: An attacker could create a malicious program which upon 
execution would dump the active memory image / or locate the area in memory 
where the password is stored and retrieve it. The memory image or password 
could then be sent over a network to the attacker.

Methodology:

To reproduce and confirm the findings a clean Windows XP SP2 build without 
Credant Mobile Guardian Shield for Windows was installed, a dump and search of 
the memory for the plaintext domain password yielded no matches (ruling out the 
Windows OS). Credant Mobile Guardian Shield software version 5.2.1.105 was then 
loaded. The memory was dumped and searched following a reboot and Domain login, 
the password was stored (multiple times) in plaintext within memory.

Workarounds:

Contact vendor for patch 5.2.1.125

Credit: 

Mike Iacovacci
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Vulnerability in Credant Mobile Guardian Shield for Windows, myucebox <=
Previous by Date:  Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities, Ismael Briones
Next by Date:  WIYS v1.0 Cross-Site Scripting Vulnerability - (05.24.2007) (NEW), vagrant - e-hack.org
Previous by Thread:  [ MDKSA-2007:104-1 ] - Updated samba packages fix multiple vulnerabilities, security
Next by Thread:  WIYS v1.0 Cross-Site Scripting Vulnerability - (05.24.2007) (NEW), vagrant - e-hack.org
Indexes:  [Date] [Thread] [Top] [All Lists]