CuteFTP saved password 'encryption' weakness

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Wed Jan 05 2000 - 01:39:02 PST

Next message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"

Previous message: Ussr Labs: "Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT"
Next in thread: Brian Kifiak: "Re: CuteFTP saved password 'encryption' weakness"
Reply: Brian Kifiak: "Re: CuteFTP saved password 'encryption' weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another case of very weak 'protection' of secrets in Win32 network
client software...

I came across the following while investigating why the Melissa macro
virus variant W97M/Melissa.M was interested in stealing a file
called 'tree.dat' from victim machines.

That file is the CuteFTP v1.x and v2.x 'Site Manager' data file,
recording site names, addresses, site preferences, firewall
information and (optionally) username and password data.  A quick
look at a sample tree.dat after installing CuteFTP suggested the
passwords were 'encrypted' in a very weak manner.  A few moments
digging revealed that 'encrypted' is too strong a term -- the stored
value was the original permuted by the simple expedient of adding
48h to the ASCII value of each character.  The file has a fairly
simple binary structure, which a few more minutes work would easily
reverse but the usernames and 'encrypted' passwords are easily
obtained with a hex file editor.

This means that stealing of tree.dat not only allows the thief access
via CuteFTP to any 'secrets' that may be recorded in that file, but
they can also be easily decoded for other uses.  The v3.x releases of
CuteFTP store this data in smdata.dat (the virus does not look for
that file) but it has a very similar appearing structure to tree.dat
and uses the same 'encryption' of stored passwords.

Briefly looking further, I note the pre-v3.0 release of CuteFTP's INI
file includes the plaintext username and password for the default
firewall configuration (if one is set).  This same data is stored in
HKCU\Software\GlobalSCAPE\CuteFTP 3.0\CuteFTP (also in plain text) in
version 3.56 (tested), and from the key name presumably all other
v3.x releases.

NT users of CuteFTP would be advised to update to a v3.x release and
apply adequate security to the DAT file and the registry key
mentioned (and maybe its siblings -- check for yourself as I only
found this because I was testing something unrelated to my normal
concerns), particularly in multiple-user workstation situations.
Presumably users of other OSes supported by CuteFTP don't care too
much about security anyway so this is not an issue for them...

A quick check of the CuteFTP Help files failed to find any mantion of
the inherent insecurity in the chosen mechanisms for storing these
user details.


Regards,

Nick FitzGerald

Next message: Raymond Dijkxhoorn: "Re: Flaw in 3c59x.c or in Kernel?"
Previous message: Ussr Labs: "Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT"
Next in thread: Brian Kifiak: "Re: CuteFTP saved password 'encryption' weakness"
Reply: Brian Kifiak: "Re: CuteFTP saved password 'encryption' weakness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:20 PDT