SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Whisper 32 Vendors:   ivory.org
Whisper 32 Discloses Password to Local Users
SecurityTracker Alert ID:  1014730
SecurityTracker URL:  http://securitytracker.com/id/1014730
CVE Reference:   CVE-2005-2664   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 18 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 1.16 and possibly prior versions
Description:   A vulnerability was reported in Whisper 32. A local user can obtain passwords from memory.

The software stores the password in memory in clear text. A local user can inspect the process memory to obtain the password.

Alexey Agapov reported this vulnerability.

Impact:   A local user can obtain the password from process memory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ivory.org/whisper.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 18 Aug 2005 18:48:20 +0400
Subject:  Password Disclosure in Whisper 32

Vendor: Shaun Ivory http://www.ivory.org
Download Location: http://www.ivory.org/whisper.html
Versions affected: Whisper32 1.16 (and may be prior)
Date: 13th August 2005
Type of Vulnerability: Information Disclosure in Memory of Process
Severity: Medium
Solution Status: Unpatched

Discovered by: Agapov Alexey, Russia
Online location: http://antilamo.skifstone.com/vuln/whisper32.txt
-----------------------------------------------------------------------

Background:
 From vendor web-site:
"Whisper 32 is a very easy-to-use Password Manager for Windows 95 and 
Windows NT.
- Store all of your passwords in one file(file .WSP).
- Password protection.
- Built-in password generator.
- Passwords may be set to expire at user-configurable intervals.
- Never type in passwords or user-names: use the Windows clipboard to 
transfer them.
- Automatic backups."

Description:
Whisper32 store the password in clear text in the memory of the 
process without encrypting it or nullifying it.
This password is clearly visible, if WSP file loaded in programm and 
password don't entered in dialog-box.
The intruder can get password, if it has only WSP file and special 
software for gather process-memory dump.

----------------------------
Agapov Alexey, Russia
#ICQ: 97482821
Web: antilamo.skifstone.com
----------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC