Sign in to follow this  
Followers 0
Leberschnitzel

Secure-Strings

4 posts in this topic

#1 ·  Posted

Hi everyone,

I made a script that runs a locally installed console with a runas /netonly so it can access an SQL DB in another domain through an ODBC connection. The script asks the user for username and password and then uses that information in the autoit RunAs command. Pretty straight forward and it works. All this is meant to be put into an AppV Sequence, and that works too.
The problem is: The password is saved in a variable as string, which means that it could be pulled from the memory in cleartext if someone would want to.

Question: Is there a possibility to save strings securely in the memory with autoit, so this can't happen?

Here's the script in question. It also saves the Username in the registry so the user doesn't have to enter it every time.

#include <AutoItConstants.au3>

;Define Variables - ONLY THINGS TO EDIT TO RUN-AS!
$ConnectDomain = "<DomainName>"
$ExeToRun = "<ConsoleExe>"

;Get default user:
$TSCredStore = "HKCU\Software\Company\Credentials\"&$ConnectDomain
$DefaultUser = RegRead($TSCredStore, "User")

;Window Asking for user, exit on cancel:
$MKAU = InputBox ( $ConnectDomain&" - User", "Please enter your "&$ConnectDomain&" User without domain.", $DefaultUser," M")
If @Error Then
   Exit
EndIf
;Write User to Default User Credentials Key:
RegWrite($TSCredStore, "User", "REG_SZ", $MKAU)

;Window Asking for password:
$MKAP = ""
$MKAP = InputBox ( $ConnectDomain&" - Password", "Please enter your "&$ConnectDomain&" Password" , "" , "*M")
If @Error Then
   ;Empty Password Variable
   $MKAP = ""
   Exit
EndIf

;Run Console with User
RunAs($MKAU,$ConnectDomain,$MKAP,$RUN_LOGON_NETWORK, @Scriptdir&"\"&$ExeToRun,"",@SW_SHOW , $STDIN_CHILD  )

;Empty Password Variable
$MKAP = ""

 

Share this post


Link to post
Share on other sites



#2 ·  Posted

As I read from other topics related to deleting your variable or assigning 0 or ""; please check if those topics may help you: 

 

I have one suggestion: I see that you directly save your password to the variable MKAP. Well, do not assign your password directly to a variable. Try to encrypt it in the first time, and send the password back without assigning to variable again (at least your user key needs to be stored): 

#include <Crypt.au3>

;... some of your code from the top
;$MKAP = InputBox ( $ConnectDomain&" - Password", "Please enter your "&$ConnectDomain&" Password" , "" , "*M")

Local Const $sUserKey = "YouNeedAUserKey" ; Declare a password string to decrypt/encrypt the data.
;assign MKAP to the crypted value, not directly to the original password
Local $MKAP = _Crypt_EncryptData(InputBox ("$ConnectDomain - Password", "Please enter your $ConnectDomain Password" , "" , "*M"), $sUserKey, $CALG_AES_256)

;Run Console with User
;RunAs($MKAU,$ConnectDomain,$MKAP,$RUN_LOGON_NETWORK, @Scriptdir&"\"&$ExeToRun,"",@SW_SHOW , $STDIN_CHILD  )

;send the encrypted one without assigning to a variable
RunAs($MKAU,$ConnectDomain,BinaryToString(_Crypt_DecryptData($MKAP, $sUserKey, $CALG_AES_256)),$RUN_LOGON_NETWORK, @Scriptdir&"\"&$ExeToRun,"",@SW_SHOW , $STDIN_CHILD  )

 


TY.

Share this post


Link to post
Share on other sites

#3 ·  Posted

Hi taylansan,

thanks for your ideas! I'll try the encryption with a key generated inside the script :)

Kind Regards

Christian

Share this post


Link to post
Share on other sites

#4 ·  Posted

RunAs($MKAU,$ConnectDomain,InputBox ( $ConnectDomain&" - Password", "Please enter your "&$ConnectDomain&" Password" , "" , "*M"),$RUN_LOGON_NETWORK, @Scriptdir&"\"&$ExeToRun,"",@SW_SHOW , $STDIN_CHILD  )

No variable.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0