| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Aug 2005 18:48:20 +0400 From: "Alexey Agapov" <agapov25@...bler.ru> To: vuln@...unia.com, bugtraq@...urityfocus.com Subject: Password Disclosure in Whisper32 Vendor: Shaun Ivory http://www.ivory.org Download Location: http://www.ivory.org/whisper.html Versions affected: Whisper32 1.16 (and may be prior) Date: 13th August 2005 Type of Vulnerability: Information Disclosure in Memory of Process Severity: Medium Solution Status: Unpatched Discovered by: Agapov Alexey, Russia Online location: http://antilamo.skifstone.com/vuln/whisper32.txt ----------------------------------------------------------------------- Background: From vendor web-site: "Whisper 32 is a very easy-to-use Password Manager for Windows 95 and Windows NT. - Store all of your passwords in one file(file .WSP). - Password protection. - Built-in password generator. - Passwords may be set to expire at user-configurable intervals. - Never type in passwords or user-names: use the Windows clipboard to transfer them. - Automatic backups." Description: Whisper32 store the password in clear text in the memory of the process without encrypting it or nullifying it. This password is clearly visible, if WSP file loaded in programm and password don't entered in dialog-box. The intruder can get password, if it has only WSP file and special software for gather process-memory dump. ---------------------------- Agapov Alexey, Russia #ICQ: 97482821 Web: antilamo.skifstone.com ----------------------------
Powered by blists - more mailing lists