

OS X keychain passwords can be read by root - aparadja
https://github.com/juuso/keychaindump

======
leoh
Interesting. This reminds me of a bug from a couple years ago. Apple used to
leave a big unencrypted swap file on disk, so you would open up single user
mode and search for string related to login and there would usually be a cache
of logins and passwords in the clear. Apple fixed this bug by removing the
swap file, among other things. But it turns out that there are ways to enable
a dev representing virtual memory with some kernel hacking, that does
something similar as the swap.

This vulnerability is fairly similar in that it involves scouring memory, is
somewhat more sophisticated since it requires some decryption, but is less
powerful since it relies on memory being intact, whereas the most common,
illicit way to gain root access is by single user mode, which usually
obliterates much memory. But it would be interesting to test--to preserve
memory it would be best to set boot flags for single user and then restart as
opposed to rebooting (presumably this would cut power to memory for a shorter
period of time, thereby better preserving its contents).

