Password Disclosure in Whisper32

From: Alexey Agapov (agapov25_at_rambler.ru)
Date: 08/18/05

  • Next message: Jason Coombs: "Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product"
    To: vuln@secunia.com, bugtraq@securityfocus.com
    Date: Thu, 18 Aug 2005 18:48:20 +0400
    
    

    Vendor: Shaun Ivory http://www.ivory.org
    Download Location: http://www.ivory.org/whisper.html
    Versions affected: Whisper32 1.16 (and may be prior)
    Date: 13th August 2005
    Type of Vulnerability: Information Disclosure in Memory of Process
    Severity: Medium
    Solution Status: Unpatched

    Discovered by: Agapov Alexey, Russia
    Online location: http://antilamo.skifstone.com/vuln/whisper32.txt
    -----------------------------------------------------------------------

    Background:
     From vendor web-site:
    "Whisper 32 is a very easy-to-use Password Manager for Windows 95 and
    Windows NT.
    - Store all of your passwords in one file(file .WSP).
    - Password protection.
    - Built-in password generator.
    - Passwords may be set to expire at user-configurable intervals.
    - Never type in passwords or user-names: use the Windows clipboard to
    transfer them.
    - Automatic backups."

    Description:
    Whisper32 store the password in clear text in the memory of the
    process without encrypting it or nullifying it.
    This password is clearly visible, if WSP file loaded in programm and
    password don't entered in dialog-box.
    The intruder can get password, if it has only WSP file and special
    software for gather process-memory dump.

    ----------------------------
    Agapov Alexey, Russia
    #ICQ: 97482821
    Web: antilamo.skifstone.com
    ----------------------------


  • Next message: Jason Coombs: "Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product"