Password Appraiser Information Disclosure

1999-01-21T00:00:00
ID OSVDB:3267
Type osvdb
Reporter OSVDB
Modified 1999-01-21T00:00:00

Description

Vulnerability Description

Password Appraiser contains a flaw that exposes every internal Windows NT password to the Internet, regardless of the presence of a firewall. The issue is due to PA sending the encrypted NT passwords to a remote host on the Quackenbush network. If the encrypted password matches an entry in their dictionary, the unencrypted password is returned to the PA client. Any attacker that has set up a sniffer between the client and Quackenbush server can obtain these passwords.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Password Appraiser contains a flaw that exposes every internal Windows NT password to the Internet, regardless of the presence of a firewall. The issue is due to PA sending the encrypted NT passwords to a remote host on the Quackenbush network. If the encrypted password matches an entry in their dictionary, the unencrypted password is returned to the PA client. Any attacker that has set up a sniffer between the client and Quackenbush server can obtain these passwords.

References:

Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/1999_1/0258.html ISS X-Force ID: 1652 CVE-1999-0397