[13279] in bugtraq
Re: CuteFTP saved password 'encryption' weakness
daemon@ATHENA.MIT.EDU (Brian Kifiak)
Fri Jan 7 14:37:34 2000
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000105142727.A12025@localhost.ca>
Date: Wed, 5 Jan 2000 14:27:27 -0800
Reply-To: Brian Kifiak <bk@LOCALHOST.CA>
From: Brian Kifiak <bk@LOCALHOST.CA>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200001050839.VAA05944@fep4-orange.clear.net.nz>; from
nick@VIRUS-L.DEMON.CO.UK on Wed, Jan 05, 2000 at 09:39:02PM +1200
* Nick FitzGerald (nick@VIRUS-L.DEMON.CO.UK) [01/05/00 12:14]:
> This means that stealing of tree.dat not only allows the thief access
> via CuteFTP to any 'secrets' that may be recorded in that file, but
> they can also be easily decoded for other uses. The v3.x releases of
> CuteFTP store this data in smdata.dat (the virus does not look for
> that file) but it has a very similar appearing structure to tree.dat
> and uses the same 'encryption' of stored passwords.
This is a moot point anyways. Anyone who can grab your tree.dat or smdata.dat
can have your passwords even if they were to be strongly encrypted. One would
only have to download and install their own copy of cuteftp, stick the
associated .dat file in it's path, run cuteftp, and hit connect. Your local
machine or another on your network could easily run a sniffer and grab your
plain text passwords as your client connects. If you don't want to tip off the
admin of a remote site that you have one of their users passwords, than just
replace the real servers IP with an ftp server you control.
-bk
