COMMAND

    Trumpet Winsock

SYSTEMS AFFECTED

    Systems running TWSK (UNIX and Win)

PROBLEM

    The following vulnerability has been  reported by Mark Baker.   It
    is possible to  open trumpwsk.ini, take  the encrypted string  for
    the $password=variable, and place it in the ppp-username=variable.
    This, allows one to start up tcpman.exe, goto File -> PPP  Options
    and get the user's password.  Impact:

    You may say 'What does this have to do with me, I use UNIX?',  and
    the answer is, anyone  can gain access to  your system, if one  of
    your users uses TWSK.

    TWSK is the most common used  TCP/IP stack for Windows 3.x and  is
    also used  by many  Windows95/NT users.  This 'bug'  works on  all
    version and can lead to serious compromising of security. All  one
    needs is access to a user's machine.

    One can do computer work for a user (orjust drop by while  they're
    not home or at work), steal  their ISP info, and then have  access
    to your machine.  They can then do a variety of things. Probe  for
    local bug to exploit,  initiating denial of service  tactics (i.e.
    icmp flooding), get a members account cancled, etc.

SOLUTION

    Hopefully Trumpet  will change  their encryption  scheme, and make
    no variable convertable  to clear text  in the application,  or if
    needed, at least use seperate encryption schemes for them.

    John Sheehy use this script in TWSK 2.0b to recover passwords:

        # little script

        load $password
        output \13
        display "password: "
        display '$password'
        output \13\13

        #end

    Passwords  authenticate   people,  not   machines.  Your   machine
    shouldn't "know" your password. Machine-to-machine  authentication
    should be performed in a  protocol that doesn't use a  password as
    the shared secret.

    Paul Melson  posted following.   For those  of you  who are  using
    Trumpet  Winsock  and  Trumpet  TCPManager  to do dial-up, you can
    prevent the use  of the $password  variable by simply  removing it
    from  the  [default  vars]  heading  of the TRUMPWSK.INI file, and
    using a prompt in your LOGIN.CMD like this:

        if ![load $password]
          if [password "Enter your login password"]
          end
        end