Mac OS X keychain password data was exposed by a means of a free tool that requires root access. Dubbed keychaindump, the tool scans for the memory space of the process that handles the keychain function (securityd), trying to find the keychain master key.
The keychain file is encrypted several times with different keys, but obtaining the keychain master key enables the decryption cascade. The login password is encrypted with a cryptographic function, known as PBKDF2, and finding the keychain master key enables access to the entire keychain data.
“The passwords in a keychain file are encrypted many times over with various different keys. Some of these keys are encrypted using other keys stored in the same file, in a russian-doll fashion,” said the tool’s developer, Juuso Salonen. “The key that can open the outermost doll and kickstart the whole decryption cascade is derived from the user’s login password using PBKDF2. I’ll call this key the master key.”
Using pattern recognition and searching security’s heap, Salonen was able to reduce the number of possible master keys to about 20. One of these keys can be used to decrypt the next key and, by following the same process for all the keys, the plaintext password will finally be revealed.
Although the tool is only proof-of-concept, it can still be classified as malware since its source code is feely available. Considering the tool requires root access (administrator access) to run, it doesn’t pose immediate danger unless it’s delivered with some other type of exploit or malware.