Insecure Data storage

Data storage issues in thick client applications.

Every application that manages user's personal data or user sessions are prone to data storage issues whether it is a mobile application or a desktop application as we call it thick client applications.

You can follow this article for step by step guide.

1. Sensitive data storage in registry

Many application use windows registry to store data. But should you do it? The answer is NO specially registry should not be trusted with sensitive information.

Regshot is an open source tool to check modified registry keys by an application.

Tool Link: https://sourceforge.net/projects/regshot/files/latest/download

Regshot works on basic principle

1. Take snapshot of your registry.

2. DO something on your system.

3. Take snapshot again and compare what is changed.

Use 32 bit version of regshot for DVTAas it is a 32 bit application. You can find values that were modified.

Values are changed from null to vijay's data

This opens up the attack path for manually changing these registry keys and logging into other people's account.

2. Dumping connection string from memory

In 2 tier architectures application has to make connection to databases and several other services. We have already seen credentials in network traffic, registry keys or even hard coded credentials.

Now we will see how to dump database connection string from memory which is basically parameters required to connect to a database instance.Which include server address, database name and credentials to authenticate.

• Case 1: Plain text connection string

  • A clear text string is hardcoded in application, so if we are able to decompile application we can retrieve that.

  • If we can't decompile the application then we can dump the memory while application is running and we can find connection string in memory.

• Case 2: Encrypted connection string

  • Application hard code encrypted connection string, so even if we decompile application we find encrypted string.

  • When application tries to decrypt encrypted value we dump the memory.

In both cases memory dumping can reveal clear text connection string. ProcessHacker is one such tool to dump memory of a process

Tool link: https://sourceforge.net/projects/processhacker/files/latest/download

Run the DVTA application and perform some action then run process hacker and search for dvta. It will list DVTA process now check this process's properties and strings if being specific you will find decrypted password in it.

DVTA application memory dump in process hacker

Now we can use these credential to connect to database and dump database.

3. Analysing dump file

Another way to analyse memory could be generating a memory dump from process list and search for strings in dump file.

From task manager create a dump file of your application.

Now you can run strings on it. Tool Link : https://download.sysinternals.com/files/Strings.zip

Database username and password in dump file.