COMMAND
Trumpet Winsock
SYSTEMS AFFECTED
Systems running TWSK (UNIX and Win)
PROBLEM
The following vulnerability has been reported by Mark Baker. It
is possible to open trumpwsk.ini, take the encrypted string for
the $password=variable, and place it in the ppp-username=variable.
This, allows one to start up tcpman.exe, goto File -> PPP Options
and get the user's password. Impact:
You may say 'What does this have to do with me, I use UNIX?', and
the answer is, anyone can gain access to your system, if one of
your users uses TWSK.
TWSK is the most common used TCP/IP stack for Windows 3.x and is
also used by many Windows95/NT users. This 'bug' works on all
version and can lead to serious compromising of security. All one
needs is access to a user's machine.
One can do computer work for a user (orjust drop by while they're
not home or at work), steal their ISP info, and then have access
to your machine. They can then do a variety of things. Probe for
local bug to exploit, initiating denial of service tactics (i.e.
icmp flooding), get a members account cancled, etc.
SOLUTION
Hopefully Trumpet will change their encryption scheme, and make
no variable convertable to clear text in the application, or if
needed, at least use seperate encryption schemes for them.
John Sheehy use this script in TWSK 2.0b to recover passwords:
# little script
load $password
output \13
display "password: "
display '$password'
output \13\13
#end
Passwords authenticate people, not machines. Your machine
shouldn't "know" your password. Machine-to-machine authentication
should be performed in a protocol that doesn't use a password as
the shared secret.
Paul Melson posted following. For those of you who are using
Trumpet Winsock and Trumpet TCPManager to do dial-up, you can
prevent the use of the $password variable by simply removing it
from the [default vars] heading of the TRUMPWSK.INI file, and
using a prompt in your LOGIN.CMD like this:
if ![load $password]
if [password "Enter your login password"]
end
end