SurgeFTP admin account bruteforcable AFFECTED SYSTEMS SurgeFTP <= 2.0f on a win32 platform, should give the same results on *nix DESCRIPTION SurgeFTP uses the same (extremely weak) hashing algorithm as the NWauth module to store the admin password, but adding a fixed 'salting' value (which is "qr") making it even weaker against all kinds of attacks, in this case : bruteforcing the admin account. (You'll have to consult the source code of the NWAuth module to figure out what I mean) In brief, what happens is : When the SurgeFTP administrator sets his account name + password (Surgeftp won't work without it), this information is written to the file 'admin.dat' by SurgeFTP, so that this file contains something like : admin:qrQ\Wd This file now contains the authentication information for the admin to login using Basic http authentication on port 7021 (this portnumber can be used to identify SurgeFTP servers BTW) for 'web administration'. Since this authentication on port 7021 allows logins ad infinitum, it can be bruteforced. 'MGR channel' logins get logged though (they get written to surgeftp.log, surgeftp1.log, ... surgeftp5.log, the logs use about 1 meg of hd space before they start wrapping). From an attacker standpoint, we can crack the SurgeFTP computer by using weaknesses in the way the admin password is stored (it is better if you think of it as cracking the hashes using their associated passwords, then cracking the passwords) : a) the password hash always begins with "qr" (the 'salting' value)this introduces new weaknesses, since this value is used in the hashing algorithm and makes certain hashes impossible since they don't match any password b) every character of the password goes through some calculations (using the salting variable) and goes through a modulo 40 ! meaning the possible hashes are at maximum 40 x 40 x 40 for any three character passwords fe. (but alot less because of a) c) since certain hashes have more passwords associated with them, we can order our specially generated password lists Enough theory, now some numbers : -> a (null password) is cracked in 1 try (duh) -> for any 1 char (256 possibilities) pwd you set as admin, an attacker just tries a 4, a 1, a 3, a 0, and when all else fails a 2 and he 0wns your win 2 0 0 0 -> for any 2 char pwd (256^2 possibilities), we need <= 168 tries (maximum 8 seconds at 20 attempts / sec.) -> for any 3 char pwd (256^3 possibilities), we need <= 3916 tries (maximum 3 minutes 15 seconds at 20 attempts / sec.) -> for any 4 char pwd (256^4 possibilities), we need <= 96012 tries (maximum 1 hour 20 minutes at 20 attempts / sec.) -> for any 5 char pwd (256^5 possibilities), we need <= 2349912 tries (maximum 1 day 8 hours 40 minutes at 20 attempts / sec.) ... For demonstrative purposes, I've attached a zipped up wordlist that can crack all passwords <= 3 chars (*nix LF format) The password list is sorted according to point c) meaning that the first passwords have more chances of matching a given hash (because that hash has most passwords associated with it). The zip also contains the password list generator sources. For pwds > 5/6 chars, we might want to make separate password lists for digits only, lowercase alpha, uppercase alpha, ... IMPACT Since the SurgeFTP administrator account has read/write/delete/... privileges to all resources, the impact of bruteforcing the account is quite high. The password can easily be guessed for passwords of up to 5 to 6 characters. And when installing SurgeFTP, there is no possible way of enabling a better hashing algorithm for the admin account, nor can web administration be disabled when running the server (you should block port 7021 on the firewall). The mitigating factors are that 1) an attacker has to know the loginname of the adminstrator account (we can only assume this will be set to "admin" but it can be anything) and 2) passwords of more than 6 characters start to take time to crack unless we limit ourselves to certain password compositions. GREETS incubus, zoa chien, r00t-dude, AreS, sentinel, the rest of the #securax people, phr0zen, eXploitek (Xt), n-sanity, and the lucky few that I forgot :) ==================================================== [ByteRage] byterageat_private [www.byterage.cjb.net] ==================================================== __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 14:40:38 PDT