lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <web-154269617@mail5.rambler.ru>
Date: Thu, 18 Aug 2005 18:48:20 +0400
From: "Alexey Agapov" <agapov25@...bler.ru>
To: vuln@...unia.com, bugtraq@...urityfocus.com
Subject: Password Disclosure in Whisper32


Vendor: Shaun Ivory http://www.ivory.org
Download Location: http://www.ivory.org/whisper.html
Versions affected: Whisper32 1.16 (and may be prior)
Date: 13th August 2005
Type of Vulnerability: Information Disclosure in Memory of Process
Severity: Medium
Solution Status: Unpatched

Discovered by: Agapov Alexey, Russia
Online location: http://antilamo.skifstone.com/vuln/whisper32.txt
-----------------------------------------------------------------------

Background:
 From vendor web-site:
"Whisper 32 is a very easy-to-use Password Manager for Windows 95 and 
Windows NT.
- Store all of your passwords in one file(file .WSP).
- Password protection.
- Built-in password generator.
- Passwords may be set to expire at user-configurable intervals.
- Never type in passwords or user-names: use the Windows clipboard to 
transfer them.
- Automatic backups."

Description:
Whisper32 store the password in clear text in the memory of the 
process without encrypting it or nullifying it.
This password is clearly visible, if WSP file loaded in programm and 
password don't entered in dialog-box.
The intruder can get password, if it has only WSP file and special 
software for gather process-memory dump.

----------------------------
Agapov Alexey, Russia
#ICQ: 97482821
Web: antilamo.skifstone.com
----------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ