Bugtraq mailing list archives

Re: Password problem in Trumpet Winsock.

From: jes () GROVE UFL EDU (John Sheehy)
Date: Mon, 7 Apr 1997 02:50:03 -0400


On Sun, 6 Apr 1997, null wrote:

| I've known of this bug for over a year and a half now, and am tired of
| waiting to see if Trumpet will ever fix it.
|
| It is possible to open trumpwsk.ini, take the encrypted string for the
| $password= variable, and place it in the ppp-username= variable. This,
| allows one to start up tcpman.exe,g oto File > PPP Options and get the
| user's password.
[...]

I use this script in TWSK 2.0b to recover passwords:

# little script

load $password
output \13
display "password: "
display '$password'
output \13\13

#end

Doesn't take much, does it?

I think it's generally a bad idea to store your password in any kind of
dialer program.

Passwords authenticate people, not machines. Your machine shouldn't "know"
your password. Machine-to-machine authentication should be performed in a
protocol that doesn't use a password as the shared secret.


-John Sheehy

Current thread:

Password problem in Trumpet Winsock. null (Apr 06)
- Linux - buffer overflow in filter Mikhail Iakovlev (Apr 06)
- Re: Password problem in Trumpet Winsock. John Sheehy (Apr 06)
- Re: Password problem in Trumpet Winsock. Michael Douglass (Apr 07)
- Netware + Win95 issue Lauri Laupmaa (Apr 07)
  - Re: Netware + Win95 issue Paul Melson (Apr 08)
- Another one javascript exploit attempt? Andrew V. Kovalev (Apr 07)
- DUMP of NT system crash Vytautas Vysniauskas (Apr 07)
- Re: Password problem in Trumpet Winsock. Paul Melson (Apr 07)
- BoS: /etc/default/login LOCKOUT= creates arbitrary files (fwd) Illuminati Primus (Apr 07)
  - Re: BoS: /etc/default/login LOCKOUT= creates arbitrary files (f Eugene Bradley (Apr 08)
- FreeBSD Security Advisory: FreeBSD-SA-97:03.sysinstall Aleph One (Apr 07)
- CERT Advisory CA-97.09 - Vulnerability in IMAP and POP Aleph One (Apr 07)

(Thread continues...)