[295] in Best-of-Security
BoS: WS_FTP.INI Security hole.
daemon@ATHENA.MIT.EDU (Milosch Meriac)
Sun Aug 10 11:18:37 1997
Old-X-Envelope-From: anotherPI@studbox.uni-stuttgart.de Sat Aug 9 21:00:34 1997
Date: Sat, 09 Aug 1997 12:59:27 +0200
From: Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
hi,
i have discovered the following bug/security hole:
Step 1.: find some WS_FTP.INI files Worldwide using
http://ftpsearch.ntnu.no/ftpsearch?query=ws_ftp.ini&doit=Search&type=Case+in
sensitive+substring+search&hits=5000&matches=&hitsprmatch=&limdom=&limpath=&
f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=date&trlen
=20
(sorted by Date & Size)
Step 2.: approximately 30% if these Files are containing encrypted
Passords for WWW/FTP servers plus Usernames & Hosts;
---->75% of these Passwords are valid !!!
example: Content of a WS_FTP.INI-file:
[Gate]
HOST=ftp.gate.net
UID=ftp
PWD=616F71717D727B7A48
LOCDIR=D:\
DIR=/
(PWD=<encrypted Password stands here>)
Step 3.: decrypt Passwords:
The Encryption Method used in WS_FTP is _extremely_ weak ! the Password
is converted (ASCII conforming) to Hex-Numbers (2 Digits)... if a Digit
is at position N , then N is added to this Digit ---> thats all !
(The passwort mentioned in the above example is anonymus@)
How To Check if you are vulerable:
Scan your whole Website for the File "WS_FTP.INI" and ensure that this
File ist Locked for all Users expect of the Owner !
Seldom this also works with
- EUDORA.INI
- PMAIL.INI (Pegasus Mail)
- prefs.js (Netscape)
- other INI/etc.-files (andere INI/etc.-Dateien)
_All_ files/programs mentioned above have _extremely_weak_ encryption-schemes
schemes... please check your Website !
-milosch meriac
---------
HomePage: http://wwwcip.rus.uni-stuttgart.de/~tky20848/
PGP: http://wwwcip.rus.uni-stuttgart.de/~tky20848/PGP/anotherpi.key
