SurgeFTP admin account bruteforcable

[ByteRage <byterage () yahoo com>]

SurgeFTP admin account bruteforcable

AFFECTED SYSTEMS

SurgeFTP <= 2.0f on a win32 platform,
should give the same results on *nix

DESCRIPTION

SurgeFTP uses the same (extremely weak) hashing
algorithm as the NWauth module to store the admin
password, but adding a fixed 'salting' value (which is
"qr") making it even weaker against all kinds of
attacks, in this case : bruteforcing the admin
account.
(You'll have to consult the source code of the NWAuth
module to figure out what I mean)

In brief, what happens is :

When the SurgeFTP administrator sets his account name
+ password (Surgeftp won't work without it), this
information is written to the file 'admin.dat' by
SurgeFTP, so that this file contains something like :
admin:qrQ\Wd

This file now contains the authentication information
for the admin to login using Basic http authentication
on port 7021 (this portnumber can be used to identify
SurgeFTP servers BTW) for 'web administration'.

Since this authentication on port 7021 allows logins
ad infinitum, it can be bruteforced. 'MGR channel'
logins get logged though (they get written to
surgeftp.log, surgeftp1.log, ... surgeftp5.log, the
logs use about 1 meg of hd space before they start
wrapping).

> From an attacker standpoint, we can crack the SurgeFTP
computer by using weaknesses in the way the admin
password is stored (it is better if you think of it as
cracking the hashes using their associated passwords,
then cracking the passwords) :
a) the password hash always begins with "qr" (the
'salting' value)this introduces new weaknesses, since
this value is used in the hashing algorithm and makes
certain hashes impossible since they don't match any
password
b) every character of the password goes through some
calculations (using the salting variable) and goes
through a modulo 40 ! meaning the possible hashes are
at maximum 40 x 40 x 40 for any three character
passwords fe. (but alot less because of a)
c) since certain hashes have more passwords associated
with them, we can order our specially generated
password lists

Enough theory, now some numbers :
-> a (null password) is cracked in 1 try (duh)
-> for any 1 char (256 possibilities) pwd you set as
admin, an attacker just tries a 4, a 1, a 3, a 0, and
when all else fails a 2 and he 0wns your win 2 0 0 0
-> for any 2 char pwd (256^2 possibilities), we need
<= 168 tries
   (maximum 8 seconds at 20 attempts / sec.)
-> for any 3 char pwd (256^3 possibilities), we need
<= 3916 tries
   (maximum 3 minutes 15 seconds at 20 attempts /
sec.)
-> for any 4 char pwd (256^4 possibilities), we need
<= 96012 tries
   (maximum 1 hour 20 minutes at 20 attempts / sec.)
-> for any 5 char pwd (256^5 possibilities), we need
<= 2349912 tries
   (maximum 1 day 8 hours 40 minutes at 20 attempts /
sec.)
   ...

For demonstrative purposes, I've attached a zipped up
wordlist that can crack all passwords <= 3 chars (*nix
LF format) The password list is sorted according to
point c) meaning that the first passwords have more
chances of matching a given hash (because that hash
has most passwords associated with it).

The zip also contains the password list generator
sources.

For pwds > 5/6 chars, we might want to make separate
password lists for digits only, lowercase alpha,
uppercase alpha, ...

IMPACT

Since the SurgeFTP administrator account has
read/write/delete/... privileges to all resources,
the impact of bruteforcing the account is quite high.
The password can easily be guessed for passwords of up
to 5 to 6 characters. And when installing SurgeFTP,
there is no possible way of enabling a better hashing
algorithm for the admin account, nor can web
administration be disabled when running the server
(you should block port 7021 on the firewall). The
mitigating factors are that 1) an attacker has to know
the loginname of the adminstrator account (we can
only assume this will be set to "admin" but it can be
anything) and 2) passwords of more than 6 characters
start to take time to crack unless we limit ourselves
to certain password compositions.

GREETS

incubus, zoa chien, r00t-dude, AreS, sentinel, the
rest of the #securax people, phr0zen, eXploitek (Xt),
n-sanity, and the lucky few that I forgot :)

====================================================
[ByteRage] byterage () yahoo com [www.byterage.cjb.net]
====================================================

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Attachment: surgeadm.zip
Description: surgeadm.zip