A Stolen-Verifier Attack against SRP-1:

An attacker Anne steals Alice's verifier Xp.
She then engages in the protocol:

Anne->Host:  u                             (Alice's username)
Host->Anne:  N, g, s

Anne computes T = Xp ^ -1 (mod N)          (multplicative inverse)
and picks a random number 1 < q < N - 1.

Anne->Host:  Wp = (g ^ q) * T (mod N)      (instead of g^Ws)
Host->Anne:  Z = Xp + Yp                   (host computes Yp as normal)

      Host:  S = (Wp * Xp) ^ Ys
             Ks = H(s)

If we substitute for Wp here, the server's session key becomes:

             S = (g ^ q * T * Xp) ^ Ys = (g ^ q) ^ Ys = g ^ (q * Ys)

      Anne:  Yp = Z - Xp                   (recovers Yp since Xp is known)
      Anne:  S = Yp ^ q
      Anne:  Kc = H(S)

Since Yp ^ q = (g ^ Ys) ^ q = g ^ (q * Ys), Anne now has the same session
key S as the host.  All Anne needs to do is send

Anne->Host:  H(Z, Kc)

to gain access to the host.