Whisper32 Plaintext Password Disclosure Vulnerability

Vendor: Shaun Ivory [http://www.ivory.org]
Versions affected: Whisper32 v1.16 (and may be prior)
Date: 13th August 2005
Type of Vulnerability: Password Disclosure in Memory of Process
Severity: Medium
Solution Status: Unpatched
Vendor was notified without answer

Discovered by: Agapov Alexey
Online location: http://www.uinc.ru/articles/vuln/whisper32-116.shtml
CVE: CVE-2005-2664

Background:
From vendor web-site:
"Whisper 32 is a very easy-to-use Password Manager for Windows 95 and Windows NT.
- Store all of your passwords in one file(file .WSP).
- Password protection.
- Built-in password generator.
- Passwords may be set to expire at user-configurable intervals.
- Never type in passwords or user-names: use the Windows clipboard to transfer them.
- Automatic backups."

Description:
Whisper32 store the password in clear text in the memory of the process without encrypting it or nullifying it. This password is clearly visible, if WSP file loaded in programm and password don't entered in dialog-box. The intruder can get password, if it has only WSP file and special software for gather process-memory dump.

Sample of process-memory dump:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
....
00CD8260 DC 84 CD 00 00 00 00 00 00 00 00 00 8C 73 FB D8 U„I ?suO
00CD8270 05 00 05 00 00 01 0A 00 88 CF 46 00 0D 00 00 00 ?IF
00CD8280 0D 00 00 00 01 00 00 00 48 3A 5C 6D 79 6B 65 79 H:\mykey <-- full file-name of
00CD8290 73 2E 77 73 70 00 00 00 05 00 05 00 00 01 0F 00 s.wsp <-- data storage
00CD82A0 88 CF 46 00 08 00 00 00 08 00 00 00 02 00 00 00 ?IF
00CD82B0 70 61 73 73 77 6F 72 64 00 00 00 00 00 00 00 00 password <-- password in clear text here
00CD82C0 42 00 05 00 00 01 0C 00 00 00 00 00 9C 81 45 00 B ??E
00CD82D0 C8 14 0A 73 DC 82 CD 00 00 00 00 00 E4 82 CD 00 E sU‚I a‚I
....

[c] Agapov Alexey
13.08.2005