[30198] in bugtraq
[[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Daniel_Nystr=F6m?=)
Wed May 21 13:06:25 2003
Message-ID: <006701c31f27$c001e0c0$0200a8c0@exce>
From: =?iso-8859-1?Q?Daniel_Nystr=F6m?= <exce@netwinder.nu>
To: <bugtraq@securityfocus.com>
Date: Wed, 21 May 2003 01:30:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Telhack 026 Inc. Security Advisory - #4
_________________________________________
Name: Blackmoon FTP Server 2.6 Free Edition
Impact: Medium
Date: May 21 / 2003
_________________________________________
Daniel Nyström a.k.a. excE <exce@netwinder.nu>
_I N F O_
BlackMoon FTP Server is an FTP daemon written specifically for Windows 2000/XP and above. It takes advantage of all the new features in the mentioned oses like io completion ports, thread pooling, running as a system services, using built-in SSL certificate stores, authenticating against an Active Directory or remote NTLM, accessing network shares, impersonating an NT user and more. More at: www.blackmoonftpserver.com
The Non-free editions has not been tested.
_P R O B L E M_
There are two problems with this software.
* User/Password data is stored in plaintext
* Easy to enumerate usernames.
_I M P A C T_
Users with physicall access can steal the database and extract user/pass pairs from it.
Malicious remote users can detect valid usernames on the FTP server.
_E X P L O I T I N G_
The plaintext Usernames/Passwords are stored in the file blackmoon.mdb in the
Blackmoon FTP directory. To extract them use standard Windows software such
as MS Access or MS Excel.
To find out valid usernames/passwords you just look at the server responses.
Valid username with invalid password:
530-Login incorrect. Name[ValidUser] Pass[NotValidPass]
Invalid username with invalid password:
530-Account does not exist. Name[NotValidUser]
A tool for enumerating users in a bruteforce manner will be available on www.telhack.tk next week.
Daniel Nyström, excE
----------------------------------
exce@netwinder.nu
http://www.telhack.tk
http://exce.ath.cx
