漏洞描述
Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.
plaintext-passwords-in-memory: Plaintext Passwords Stored in Memory
PoC代码[已公开]
id: plaintext-passwords-in-memory
info:
name: Plaintext Passwords Stored in Memory
author: princechaddha
severity: high
description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.
impact: |
Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches.
remediation: |
Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure.
tags: windows,security,credentials,windows-audit
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." }
matchers:
- type: word
words:
- "Plaintext passwords are stored in memory."
# digest: 4b0a0048304602210096f5a69a7eb5f990f7b6990997bbe801df7482b8883d6e9153360b9ed49d8df80221008946a1d10b3516bfdfd8925376bbbf0a091ac7236f0d6e223bbf5b3de884ed8a:922c64590222798bb761d5b6d8e72950