| |||
[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive] | [home] |
Whisper32 Plaintext Password Disclosure VulnerabilityVersions affected: Whisper32 v1.16 (and may be prior) Date: 13th August 2005 Type of Vulnerability: Password Disclosure in Memory of Process Severity: Medium Solution Status: Unpatched Vendor was notified without answer Discovered by: Agapov Alexey Online location: http://www.uinc.ru/articles/vuln/whisper32-116.shtml CVE: CVE-2005-2664 Background: From vendor web-site:
""Whisper 32 is a very easy-to-use Password Manager for Windows 95 and Windows NT.
- Store all of your passwords in one file(file .WSP). - Password protection. - Built-in password generator. - Passwords may be set to expire at user-configurable intervals. - Never type in passwords or user-names: use the Windows clipboard to transfer them. - Automatic backups."" Description:
Whisper32 store the password in clear text in the memory of the process without encrypting it or nullifying it.
This password is clearly visible, if WSP file loaded in programm and password don't entered in dialog-box.
The intruder can get password, if it has only WSP file and special software for gather process-memory dump.
Sample of process-memory dump: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F [c] Agapov Alexey 13.08.2005
Все документы и программы на этом сайте собраны ТОЛЬКО для образовательных целей, мы
не отвечаем ни за какие последствия, которые имели место как следствие использования
этих материалов\программ. Вы используете все вышеперечисленное на свой страх и риск. |
[network & security news] [RSS & Twitter] [articles, programing info] [books] [links, soft & more...] [soft archive] | [home] |
Underground InformatioN Center [&vulnerability] |
2000-2015 © uinC Team |