You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Java Version: 1.8.0_261
java -version
java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode)
OS Version: Windows 10
Microsoft Windows [Version 10.0.18363.1556]
Description of the problem
The method Crypt32Util.cryptProtectData (and Crypt32Util.cryptUnprotectData) do not clean copy of security sensitive information and leave it in memory. This can be considered as security vulnerability since it becomes possible to reveal passwords from memory dumps.
Code that reproduces the bug
import com.sun.jna.Memory;
import com.sun.jna.platform.win32.Crypt32Util;
import com.sun.jna.platform.win32.WinCrypt;
import java.lang.ref.WeakReference;
import java.lang.reflect.Field;
import java.util.Arrays;
public class JNACryptProtectDataSecurityIssue {
public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
Field fldMemory_HEAD = Memory.class.getDeclaredField("HEAD");
fldMemory_HEAD.setAccessible(true);
Field fldLinkedReference_next = Class.forName("com.sun.jna.Memory$LinkedReference").getDeclaredField("next");
fldLinkedReference_next.setAccessible(true);
Field fldLinkedReference_prev = Class.forName("com.sun.jna.Memory$LinkedReference").getDeclaredField("prev");
fldLinkedReference_prev.setAccessible(true);
System.out.println("-----");
byte[] data = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, };
byte[] encrypted = Crypt32Util.cryptProtectData(data, WinCrypt.CRYPTPROTECT_UI_FORBIDDEN);
byte[] decrypted = Crypt32Util.cryptUnprotectData(encrypted, WinCrypt.CRYPTPROTECT_UI_FORBIDDEN);
System.out.println("-----");
{
Object head = fldMemory_HEAD.get(null);
Object next = head;
do {
Object curr = next;
Memory memory = (Memory) ((WeakReference<?>) curr).get();
byte[] array = memory.getByteArray(0, (int) memory.size());
if (Arrays.equals(array, encrypted)) {
System.out.println("!!! encrypted data found !!!");
}
if (Arrays.equals(array, data)) {
System.out.println("!!! decrypted data found !!!");
}
next = fldLinkedReference_next.get(curr);
} while (next != null);
}
System.out.println("-----");
}
}
Expected
-----
-----
-----
Actual
-----
-----
!!! encrypted data found !!!
!!! decrypted data found !!!
-----
The text was updated successfully, but these errors were encountered:
JNA version: 5.8.0
jna-platform.jar (+ jna.jar)
Java Version: 1.8.0_261
java -version
java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode)
OS Version: Windows 10
Microsoft Windows [Version 10.0.18363.1556]
Description of the problem
The method
Crypt32Util.cryptProtectData(andCrypt32Util.cryptUnprotectData) do not clean copy of security sensitive information and leave it in memory. This can be considered as security vulnerability since it becomes possible to reveal passwords from memory dumps.Code that reproduces the bug
Expected
Actual
The text was updated successfully, but these errors were encountered: