During an examination of how JAMF Self Service authenticated to the domain I discovered that Self Service not just keeps Domain Credentials in memory in plaintext, but does not appear to free them after they are initially used. To prove this I developed a Proof of Concept exploit that will search for a running Self Service process, make a local copy of the processes memory, and search for the username and password strings. So long as the user has at one point authenticated within Self Service the credentials will be able to be harvested, even if they have logged off. This has been tested on Self Service Version 9.93, but may work on other versions.
Continue reading "Extracting Domain Credentials from JAMF Self Service "