Community discussions

 
pbenner
just joined
Topic Author
Posts: 3
Joined: Fri Jul 27, 2018 9:10 pm

Security Issue in The Dude

Thu Aug 08, 2019 12:23 am

I have discovered that if you're using a custom tool in The Dude it is possible to discover the password to any configured device in the dude in Plain Text and nearly anyone can do this regardless of their access level in The Dude.

I feel that this should be addressed immediately, as there is a big difference between someone having Right Click access via a tool and to be given the user's login in clear text on an error.

Since there haven't been any documented changes recently and despite version upgrades this still exists, I would like to see it addressed:

To create the issue:

Define your tool and it's login per the documentation. For this example, winbox is located:

c:\tools\winbox.exe

If my employee on their workstation renames or moves the winbox executable, they have provided the password that was configured for the device in plain text when they get the error for the tool not being available. What can be done so that this isn't possible? Ideally I'd like to have The Dude not display the error the way that it does and to keep the password invisible.

Thanks!

Paul
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: Security Issue in The Dude

Thu Aug 08, 2019 12:55 am

Dude is no longer being actively developed and there is no way to protect the password. If you hide the error message, bad guy will simply replace the EXE with custom made program which shows any argument sent to the program. (that is as easy as it sounds)

Who is online

Users browsing this forum: No registered users and 10 guests