ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks

["Steven" <steven () lovebug org>]

Vendor:   ArGoSoft
Date:     December 31, 2004
Issue:    ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks
URL:      http://www.argosoft.com/ftpserver/
Advisory: http://www.lovebug.org/argosoft_advisory.txt

Program Overview:

ArGoSoft FTP Server is a lightweight FTP Server for Microsoft Windows platforms.  The program "supports all basic FTP 
commands, and much more, such as passive mode, resuming file transfers, windows shortcuts to another files, folders and 
drives (including network drives), virtual domains (multiple IP homes), IP filtering, site specific commands, such as 
compressing and copying files on the server, changing date/time stamps, and so on."  It is fairly simple to use  and 
configure and subsequently does not take much time to get up and running.


Issues:

1. Versions prior to 1.4.2.1 will disclose whether or not a supplied username is valid or not.  A login name supplied 
with the USER command will not be accepted unless it is valid.  If the username is invalid it will return a message 
similar to:

530 User NAME_HERE does not exist

otherwise it will accept the username and ask for the password.  Version 1.4.2.1 and beyond have fixed this problem and 
will ask for a password regardless of whether or not the username actually exists.  The vendor was quick to fix this 
and released a new version relatively shortly after the issue was reported.

2. However, another issue is still at large with ArGOSoft's FTP Server.  This issue exists in the current version 
(1.4.2.4) and in previous versions.  ArGoSoft FTP Server does not have a limit to the number of tries that can be 
entered for a username/password combination before it terminates the connection.  It will allow and unlimited number of 
login attempts.  This issue in conjunction with the previously mentioned one would not only allow for brute force 
password cracking of a known username, but for a quick brute force attack to find valid usernames. It might also be 
worth mentioning that there also does not appear to be any type of login timeout for the login process.  This issue was 
also reported to the vendor at the same time as username problem.


Solutions:

Upgrade to the latest version at the ArGoSoft website.  As for the brute force issue, perhaps that will be fixed in the 
future.  Just make your passwords difficult, keep your login name(s) secure, and turn on logging + monitor it.


Credits:

My recent free time -- which has enabled me to type all of this up.  HAPPY NEW YEAR!

Also: Go Virginia Tech, let's beat Auburn in the Sugar Bowl :)

-Steven
steven () lovebug org
www.lovebug.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html